Showing preview only (1,004K chars total). Download the full file or copy to clipboard to get everything.
Repository: bitnami-labs/sealed-secrets
Branch: main
Commit: e4154483f634
Files: 252
Total size: 934.0 KB
Directory structure:
gitextract_5lwfnjj2/
├── .gitattributes
├── .github/
│ ├── CODEOWNERS
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug_report.md
│ │ └── feature_request.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── dependabot.yml
│ └── workflows/
│ ├── ci.yml
│ ├── cosign.pub
│ ├── helm-release.yaml
│ ├── helm-vib-lint.yaml
│ ├── helm-vib.yaml
│ ├── publish-release.yaml
│ ├── release.yaml
│ └── stale.yml
├── .gitignore
├── .golangci.yaml
├── .goreleaser.yml
├── .vib/
│ ├── vib-pipeline.json
│ └── vib-platform-verify-openshift.json
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── MAINTAINERS.md
├── Makefile
├── README.md
├── RELEASE-NOTES.md
├── SECURITY.md
├── carvel/
│ └── package.yaml
├── cmd/
│ ├── controller/
│ │ ├── main.go
│ │ └── main_test.go
│ └── kubeseal/
│ ├── main.go
│ └── main_test.go
├── contrib/
│ └── prometheus-mixin/
│ ├── .gitignore
│ ├── Makefile
│ ├── README.md
│ ├── alerts/
│ │ ├── alerts.libsonnet
│ │ └── sealed-secrets-alerts.libsonnet
│ ├── config.libsonnet
│ ├── dashboards/
│ │ ├── dashboards.libsonnet
│ │ └── sealed-secrets-controller.json
│ ├── lib/
│ │ ├── alerts.jsonnet
│ │ ├── dashboards.jsonnet
│ │ └── rules.jsonnet
│ ├── mixin.libsonnet
│ ├── rules/
│ │ └── rules.libsonnet
│ └── tests.yaml
├── controller-norbac.jsonnet
├── controller-podmonitor.jsonnet
├── controller.jsonnet
├── docker/
│ ├── controller.Dockerfile
│ └── kubeseal.Dockerfile
├── docs/
│ ├── GKE.md
│ ├── bring-your-own-certificates.md
│ ├── developer/
│ │ ├── README.md
│ │ ├── controller.md
│ │ ├── crypto.md
│ │ ├── kubeseal.md
│ │ └── swagger.yml
│ └── examples/
│ └── config-template/
│ ├── README.md
│ ├── deployment.yaml
│ └── sealedsecret.yaml
├── githooks/
│ └── pre-commit/
│ └── doc-toc
├── go.mod
├── go.sum
├── hack/
│ ├── boilerplate.go.txt
│ ├── tools.go
│ └── update-codegen.sh
├── helm/
│ └── sealed-secrets/
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── README.md
│ ├── crds/
│ │ └── bitnami.com_sealedsecrets.yaml
│ ├── dashboards/
│ │ └── sealed-secrets-controller.json
│ ├── templates/
│ │ ├── NOTES.txt
│ │ ├── _helpers.tpl
│ │ ├── cluster-role-binding.yaml
│ │ ├── cluster-role.yaml
│ │ ├── configmap-dashboards.yaml
│ │ ├── deployment.yaml
│ │ ├── extra-list.yaml
│ │ ├── ingress.yaml
│ │ ├── networkpolicy.yaml
│ │ ├── pdb.yaml
│ │ ├── psp-clusterrole.yaml
│ │ ├── psp-clusterrolebinding.yaml
│ │ ├── psp.yaml
│ │ ├── role-binding.yaml
│ │ ├── role.yaml
│ │ ├── service-account.yaml
│ │ ├── service.yaml
│ │ ├── servicemonitor.yaml
│ │ └── tls-secret.yaml
│ └── values.yaml
├── integration/
│ ├── controller_test.go
│ ├── integration_suite_test.go
│ └── kubeseal_test.go
├── jsonnetfile.json
├── jsonnetfile.lock.json
├── kube-fixes.libsonnet
├── pkg/
│ ├── apis/
│ │ └── sealedsecrets/
│ │ └── v1alpha1/
│ │ ├── doc.go
│ │ ├── register.go
│ │ ├── sealedsecret_expansion.go
│ │ ├── sealedsecret_test.go
│ │ ├── types.go
│ │ └── zz_generated.deepcopy.go
│ ├── buildinfo/
│ │ └── version.go
│ ├── client/
│ │ ├── clientset/
│ │ │ └── versioned/
│ │ │ ├── clientset.go
│ │ │ ├── fake/
│ │ │ │ ├── clientset_generated.go
│ │ │ │ ├── doc.go
│ │ │ │ └── register.go
│ │ │ ├── scheme/
│ │ │ │ ├── doc.go
│ │ │ │ └── register.go
│ │ │ └── typed/
│ │ │ └── sealedsecrets/
│ │ │ └── v1alpha1/
│ │ │ ├── doc.go
│ │ │ ├── fake/
│ │ │ │ ├── doc.go
│ │ │ │ ├── fake_sealedsecret.go
│ │ │ │ └── fake_sealedsecrets_client.go
│ │ │ ├── generated_expansion.go
│ │ │ ├── sealedsecret.go
│ │ │ └── sealedsecrets_client.go
│ │ ├── informers/
│ │ │ └── externalversions/
│ │ │ ├── factory.go
│ │ │ ├── generic.go
│ │ │ ├── internalinterfaces/
│ │ │ │ └── factory_interfaces.go
│ │ │ └── sealedsecrets/
│ │ │ ├── interface.go
│ │ │ └── v1alpha1/
│ │ │ ├── interface.go
│ │ │ └── sealedsecret.go
│ │ └── listers/
│ │ └── sealedsecrets/
│ │ └── v1alpha1/
│ │ ├── expansion_generated.go
│ │ └── sealedsecret.go
│ ├── controller/
│ │ ├── controller.go
│ │ ├── controller_test.go
│ │ ├── funcs.go
│ │ ├── keyregistry.go
│ │ ├── keyregistry_test.go
│ │ ├── keys.go
│ │ ├── keys_test.go
│ │ ├── main.go
│ │ ├── main_test.go
│ │ ├── metrics.go
│ │ ├── metrics_test.go
│ │ ├── server.go
│ │ ├── server_test.go
│ │ ├── signal_notwin.go
│ │ └── signal_windows.go
│ ├── crypto/
│ │ ├── crypto.go
│ │ ├── keys.go
│ │ └── keys_test.go
│ ├── flagenv/
│ │ ├── flagenv.go
│ │ └── flagenv_test.go
│ ├── kubeseal/
│ │ ├── kubeseal.go
│ │ └── kubeseal_test.go
│ ├── log/
│ │ └── log.go
│ ├── multidocyaml/
│ │ ├── multidocyaml.go
│ │ └── multidocyaml_test.go
│ └── pflagenv/
│ ├── flagenv.go
│ └── flagenv_test.go
├── schema-v1alpha1.yaml
├── scripts/
│ ├── check-k8s
│ ├── kubeseal-sudo
│ └── release-check
├── site/
│ ├── .gitignore
│ ├── README.md
│ ├── archetypes/
│ │ └── default.md
│ ├── config.yaml
│ ├── content/
│ │ ├── community/
│ │ │ └── _index.html
│ │ ├── contributors/
│ │ │ ├── agarcia-oss.md
│ │ │ ├── alvneiayu.md
│ │ │ └── index.md
│ │ ├── docs/
│ │ │ ├── CONTRIBUTING.md
│ │ │ ├── _index.md
│ │ │ ├── img/
│ │ │ │ └── _index.md
│ │ │ └── latest/
│ │ │ ├── README.md
│ │ │ ├── _index.md
│ │ │ ├── background/
│ │ │ │ ├── README.md
│ │ │ │ ├── _index.md
│ │ │ │ └── cryptography.md
│ │ │ ├── howto/
│ │ │ │ ├── README.md
│ │ │ │ ├── _index.md
│ │ │ │ └── validate-sealed-secrets.md
│ │ │ ├── project/
│ │ │ │ ├── .placeholder
│ │ │ │ └── _index.md
│ │ │ ├── reference/
│ │ │ │ ├── README.md
│ │ │ │ ├── _index.md
│ │ │ │ └── faq.md
│ │ │ └── tutorials/
│ │ │ ├── README.md
│ │ │ ├── _index.md
│ │ │ ├── getting-started.md
│ │ │ └── install-sealed-secrets.md
│ │ ├── posts/
│ │ │ └── _index.md
│ │ └── resources/
│ │ └── _index.html
│ ├── data/
│ │ └── docs/
│ │ ├── latest-toc.yml
│ │ └── toc-mapping.yml
│ ├── resources/
│ │ └── _gen/
│ │ └── assets/
│ │ └── scss/
│ │ └── scss/
│ │ ├── site.scss_8967e03afb92eb0cac064520bf021ba2.content
│ │ └── site.scss_8967e03afb92eb0cac064520bf021ba2.json
│ └── themes/
│ └── template/
│ ├── archetypes/
│ │ └── default.md
│ ├── assets/
│ │ └── scss/
│ │ ├── _base.scss
│ │ ├── _components.scss
│ │ ├── _footer.scss
│ │ ├── _header.scss
│ │ ├── _mixins.scss
│ │ ├── _variables.scss
│ │ └── site.scss
│ ├── layouts/
│ │ ├── _default/
│ │ │ ├── _markup/
│ │ │ │ ├── render-image.html
│ │ │ │ └── render-link.html
│ │ │ ├── baseof.html
│ │ │ ├── docs.html
│ │ │ ├── list.html
│ │ │ ├── posts.html
│ │ │ ├── search.html
│ │ │ ├── section.html
│ │ │ ├── single.html
│ │ │ ├── summary.html
│ │ │ ├── tag.html
│ │ │ └── versions.html
│ │ ├── index.html
│ │ ├── index.redirects
│ │ ├── partials/
│ │ │ ├── blog-post-card.html
│ │ │ ├── contributors.html
│ │ │ ├── docs-right-bar.html
│ │ │ ├── docs-sidebar.html
│ │ │ ├── footer.html
│ │ │ ├── getting-started.html
│ │ │ ├── header.html
│ │ │ ├── hero.html
│ │ │ ├── homepage-grid.html
│ │ │ ├── pagination.html
│ │ │ └── use-cases.html
│ │ └── shortcodes/
│ │ └── readfile.html
│ └── static/
│ ├── fonts/
│ │ ├── Open Font License.md
│ │ └── README.md
│ └── js/
│ └── main.js
├── vendor_jsonnet/
│ └── kube-libsonnet/
│ ├── .travis.yml
│ ├── CODEOWNERS
│ ├── LICENSE
│ ├── Makefile
│ ├── README.md
│ ├── bitnami.libsonnet
│ ├── examples/
│ │ ├── guestbook/
│ │ │ └── guestbook.jsonnet
│ │ └── wordpress/
│ │ ├── backend.jsonnet
│ │ ├── frontend.jsonnet
│ │ └── wordpress.jsonnet
│ ├── kube.libsonnet
│ └── tests/
│ ├── Dockerfile
│ ├── Makefile
│ ├── docker-compose.yaml
│ ├── golden/
│ │ ├── test-sealedsecrets-datalines.json
│ │ ├── test-sealedsecrets.json
│ │ ├── test-simple-validate.json
│ │ └── unittests.json
│ ├── test-sealedsecrets-datalines.jsonnet
│ ├── test-sealedsecrets-datalines.txt
│ ├── test-sealedsecrets.jsonnet
│ ├── test-simple-validate.jsonnet
│ └── unittests.jsonnet
└── versions.env
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
vendor_jsonnet/ linguist-generated=true
================================================
FILE: .github/CODEOWNERS
================================================
# These owners will be the default owners for everything in
# the repo. Unless a later match takes precedence,
# @alvneiayu @agarcia-oss @alemorcuq will be requested for
# review when someone opens a pull request.
* @alvneiayu @agarcia-oss
================================================
FILE: .github/ISSUE_TEMPLATE/bug_report.md
================================================
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: triage
assignees: ''
---
<!--
Before you open the bug report please review the following FAQ:
- [Sealed Secrets FAQ](https://github.com/bitnami-labs/sealed-secrets#faq)
-->
**Which component**:
The name (and version) of the affected component (controller or kubeseal)
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Run the command '....'
3. Wait for '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Version of Kubernetes**:
- Output of `kubectl version`:
```
(paste your output here)
```
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: triage
assignees: ''
---
**Which component**:
The name (and version) of the affected component (controller or kubeseal)
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
<!--
Before you open the request please review the following guidelines and tips to help it be more easily integrated:
- Describe the scope of your change - i.e. what the change does.
- Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.
Thank you for contributing! We will try to test and integrate the change as soon as we can, but be aware we have many GitHub repositories to manage and can't immediately respond to every request. There is no need to bump or check in on a pull request (it will clutter the discussion of the request).
Also don't be worried if the request is closed or not integrated sometimes the priorities of Bitnami might not match the priorities of the pull request. Don't fret, the open source community thrives on forks and GitHub makes it easy to keep your changes in a forked repo.
-->
**Description of the change**
<!-- Describe the scope of your change - i.e. what the change does. -->
**Benefits**
<!-- What benefits will be realized by the code change? -->
**Possible drawbacks**
<!-- Describe any known limitations with your change -->
**Applicable issues**
<!-- Enter any applicable Issues here (You can reference an issue using #) -->
- fixes #
**Additional information**
<!-- If there's anything else that's important and relevant to your pull
request, mention that information here.-->
================================================
FILE: .github/dependabot.yml
================================================
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
# Enable version updates for Docker
- package-ecosystem: "docker"
directory: "/docker"
schedule:
interval: "weekly"
================================================
FILE: .github/workflows/ci.yml
================================================
name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
controller_registry: docker.io
controller_repository: bitnami/sealed-secrets-controller
controller_tag: latest
jobs:
load-versions:
name: Load versions.env
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v6.0.2
- id: load-versions
run: |
source $GITHUB_WORKSPACE/versions.env
# env vars
echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
echo "GO_VERSION_LIST=$GO_VERSION_LIST" >> $GITHUB_ENV
# outputs
echo "go_version=${GO_VERSION}" >> $GITHUB_OUTPUT
echo "go_version_list=${GO_VERSION_LIST}" >> $GITHUB_OUTPUT
outputs:
go_version: ${{ steps.load-versions.outputs.go_version }}
go_version_list: ${{ steps.load-versions.outputs.go_version_list }}
linter:
needs: load-versions
name: Run linters
runs-on: ubuntu-latest
strategy:
matrix:
go: ${{ fromJSON(needs.load-versions.outputs.go_version_list) }}
os: [ubuntu-latest]
golangci-lint: ["1.64.8"]
gosec: ["2.22.2"]
steps:
- name: Set up Go 1.x
uses: actions/setup-go@v6.3.0
with:
go-version: ${{ matrix.go }}
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@v6.0.2
- name: Install dependencies
run: |
go install github.com/golangci/golangci-lint/cmd/golangci-lint@v${{ matrix.golangci-lint }}
go install github.com/securego/gosec/v2/cmd/gosec@v${{ matrix.gosec }}
- name: Run linter
run: make lint
- name: Run gosec
run: make lint-gosec
test:
needs: load-versions
name: Build
runs-on: ${{ matrix.os }}
strategy:
matrix:
go: ${{ fromJSON(needs.load-versions.outputs.go_version_list) }}
os: [macos-latest, windows-latest, ubuntu-latest]
gotestsum: ["1.8.1"]
steps:
- name: Set up Go 1.x
uses: actions/setup-go@v6.3.0
with:
go-version: ${{ matrix.go }}
id: go
- name: Check out code into the Go module directory
uses: actions/checkout@v6.0.2
- name: Install dependencies
run: |
go install gotest.tools/gotestsum@v${{ matrix.gotestsum }}
- name: Test
run: make GO_FLAGS="--junitfile report.xml --format testname" test
- name: Test Summary
uses: test-summary/action@v2
with:
paths: |
report.xml
container:
needs: load-versions
name: Build Container
runs-on: ubuntu-latest
steps:
- name: "Set environmental variables"
run: |
echo "CONTROLLER_IMAGE=$controller_registry/$controller_repository:$controller_tag" >> $GITHUB_ENV
- name: Check out code
uses: actions/checkout@v6.0.2
- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0
with:
cosign-release: v2.2.3
- name: Distroless verify
run: |
diff <(grep FROM docker/kubeseal.Dockerfile | awk '{print $2}') \
<(grep FROM docker/controller.Dockerfile | awk '{print $2}')
cosign verify "$(grep FROM docker/controller.Dockerfile | awk '{print $2}')" --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@distroless.iam.gserviceaccount.com
- name: Setup kubecfg
run: |
mkdir -p ~/bin
curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
chmod +x ~/bin/kubecfg
- name: Set up Go 1.x
uses: actions/setup-go@v6.3.0
with:
go-version: ${{ needs.load-versions.outputs.go_version }}
id: go
- name: Docker build
run: |
export PATH=~/bin:$PATH
make CONTROLLER_IMAGE=$CONTROLLER_IMAGE IMAGE_PULL_POLICY=Never controller.yaml
make CONTROLLER_IMAGE=$CONTROLLER_IMAGE controller.image.linux-amd64
docker tag $CONTROLLER_IMAGE-linux-amd64 $CONTROLLER_IMAGE
docker save $CONTROLLER_IMAGE -o /tmp/controller-image.tar
- name: Upload manifest artifact
uses: actions/upload-artifact@v6.0.0
with:
name: controller-manifest
path: controller.yaml
- name: Upload container image artifact
uses: actions/upload-artifact@v6.0.0
with:
name: controller-image
path: /tmp/controller-image.tar
integration-yaml:
needs: [ load-versions, container ]
name: Integration (controller.yaml)
runs-on: ubuntu-latest
strategy:
matrix:
k8s: ["1.32.12","1.33.8","1.34.4","1.35.1"]
env:
MINIKUBE_WANTUPDATENOTIFICATION: "false"
MINIKUBE_WANTREPORTERRORPROMPT: "false"
CHANGE_MINIKUBE_NONE_USER: "true"
steps:
- name: "Set environmental variables"
run: |
echo "CONTROLLER_IMAGE=$controller_registry/$controller_repository:$controller_tag" >> $GITHUB_ENV
- name: Set up Go 1.x
uses: actions/setup-go@v6.3.0
with:
go-version: ${{ needs.load-versions.outputs.go_version }}
id: go
- name: Set up Ginkgo
run: |
go install github.com/onsi/ginkgo/ginkgo@v1.16.4
- name: Check out code into the Go module directory
uses: actions/checkout@v6.0.2
- uses: medyagh/setup-minikube@v0.0.21
with:
minikube-version: 1.38.0
kubernetes-version: ${{ matrix.k8s }}
# need to delete old state of the cluster, see:
# https://github.com/kubernetes/minikube/issues/8765
- name: K8s setup
run: |
minikube delete
minikube config set kubernetes-version v${{ matrix.k8s }}
minikube start --vm-driver=docker
minikube update-context
kubectl cluster-info
- name: Download manifest artifact
uses: actions/download-artifact@v7.0.0
with:
name: controller-manifest
- name: Download container image artifact
uses: actions/download-artifact@v7.0.0
with:
name: controller-image
- name: Load docker image
run: |
eval $(minikube docker-env)
docker load -i controller-image.tar
docker inspect $CONTROLLER_IMAGE
- name: Testing environment setup
run: |
kubectl apply -f controller.yaml
kubectl rollout status deployment/sealed-secrets-controller -n kube-system -w --timeout=1m || kubectl -n kube-system describe pod -lname=sealed-secrets-controller
- name: Integration tests
run: make integrationtest CONTROLLER_IMAGE=$CONTROLLER_IMAGE GINKGO="ginkgo -v --randomizeSuites --failOnPending --trace --progress --compilers=2 --nodes=4"
integration-chart:
needs: [ load-versions, container ]
name: Integration (Helm Chart)
runs-on: ubuntu-latest
strategy:
matrix:
k8s: ["1.32.12","1.33.8","1.34.4","1.35.1"]
env:
MINIKUBE_WANTUPDATENOTIFICATION: "false"
MINIKUBE_WANTREPORTERRORPROMPT: "false"
CHANGE_MINIKUBE_NONE_USER: "true"
steps:
- name: "Set environmental variables"
run: |
echo "CONTROLLER_IMAGE=$controller_registry/$controller_repository:$controller_tag" >> $GITHUB_ENV
- name: Set up Go 1.x
uses: actions/setup-go@v6.3.0
with:
go-version: ${{ needs.load-versions.outputs.go_version }}
id: go
- name: Set up Ginkgo
run: |
go install github.com/onsi/ginkgo/ginkgo@v1.16.4
- name: Check out code into the Go module directory
uses: actions/checkout@v6.0.2
- uses: medyagh/setup-minikube@v0.0.21
with:
minikube-version: 1.38.0
kubernetes-version: ${{ matrix.k8s }}
- name: Install Helm
uses: azure/setup-helm@v3.5
with:
version: v3.12.0
# need to delete old state of the cluster, see:
# https://github.com/kubernetes/minikube/issues/8765
- name: K8s setup
run: |
minikube delete
minikube config set kubernetes-version v${{ matrix.k8s }}
minikube start --vm-driver=docker
minikube update-context
kubectl cluster-info
- name: Download container image artifact
uses: actions/download-artifact@v7.0.0
with:
name: controller-image
- name: Load docker image
run: |
eval $(minikube docker-env)
docker load -i controller-image.tar
docker inspect $CONTROLLER_IMAGE
- name: Testing environment setup
run: |
helm install sealed-secrets -n kube-system --set fullnameOverride=sealed-secrets-controller --set image.registry=$controller_registry --set image.repository=$controller_repository --set image.tag=$controller_tag --set image.pullPolicy=Never helm/sealed-secrets
kubectl rollout status deployment/sealed-secrets-controller -n kube-system -w --timeout=1m || kubectl -n kube-system describe pod -lapp.kubernetes.io/name=sealed-secrets
- name: Integration tests
run: make integrationtest CONTROLLER_IMAGE=$CONTROLLER_IMAGE GINKGO="ginkgo -v --randomizeSuites --failOnPending --trace --progress --compilers=2 --nodes=4"
================================================
FILE: .github/workflows/cosign.pub
================================================
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEseWNtEaI73oDVgjfLzU4eQYHE11i
MzRSNs1TA+cTT/Lw70ckfCC/vHnOXKACF2dnhsZsNNj647p9mAiYNVl9ug==
-----END PUBLIC KEY-----
================================================
FILE: .github/workflows/helm-release.yaml
================================================
name: Release Helm Chart and Carvel package
on:
push:
paths:
# update this file to trigger helm chart release
- 'helm/sealed-secrets/Chart.yaml'
branches:
- main
workflow_dispatch:
jobs:
release:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- name: Configure Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Install Helm
uses: azure/setup-helm@v4.3.1
with:
version: v4.1.1
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.4.1
with:
charts_dir: helm
env:
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-v{{ .Version }}"
- name: Install Carvel
uses: carvel-dev/setup-action@v1.3.0
with:
only: kbld, imgpkg
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install yq
run: |
mkdir -p ~/bin
wget https://github.com/mikefarah/yq/releases/download/v4.30.8/yq_linux_amd64 -O ~/bin/yq
chmod +x ~/bin/yq
- name: Get chart version
run: |
export PATH=~/bin:$PATH
echo "chart_version=$(yq .version < ./helm/sealed-secrets/Chart.yaml)" >> $GITHUB_ENV
- name: Configure DNS for registry access
run: |
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf > /dev/null
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf > /dev/null
- name: OCI Push
env:
OCI_PASS: ${{ secrets.OCI_PASSWORD }}
OCI_USR: ${{ secrets.OCI_USERNAME }}
HELM_EXPERIMENTAL_OCI: 1
run: |
echo $OCI_PASS | helm registry login -u $OCI_USR --password-stdin registry-1.docker.io
helm package helm/sealed-secrets/
helm push sealed-secrets-${{ env.chart_version }}.tgz oci://registry-1.docker.io/bitnamicharts/sealed-secrets
- name: Create imglock file
working-directory: ./helm
run: |
mkdir -p .imgpkg
kbld -f <(helm template sealed-secrets) --imgpkg-lock-output .imgpkg/images.yml
- name: Push imgpkg bundle
working-directory: ./helm
env:
IMGPKG_REGISTRY_HOSTNAME: ghcr.io
IMGPKG_REGISTRY_USERNAME: ${{ github.actor }}
IMGPKG_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
run: |
imgpkg push -b ghcr.io/${{ github.repository_owner }}/sealed-secrets-carvel:${{ env.chart_version }} -f . --json > output
echo carvel_pkg=$(cat output | grep Pushed | cut -d "'" -f2 ) >> $GITHUB_ENV
- name: Update package.yaml
run: |
yq -i '.spec.version = "${{ env.chart_version }}"' carvel/package.yaml
yq -i '.metadata.name = "sealedsecrets.bitnami.com.${{ env.chart_version }}"' carvel/package.yaml
yq -i '.spec.template.spec.fetch.0.imgpkgBundle.image = "${{ env.carvel_pkg }}"' carvel/package.yaml
git checkout -B 'release-carvel-${{ env.chart_version }}'
git add carvel/package.yaml
git commit -sm 'Release carvel package ${{ env.chart_version }}'
git push origin 'release-carvel-${{ env.chart_version }}'
- name: Create PR
run: gh pr create --fill --base main --repo $GITHUB_REPOSITORY
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
================================================
FILE: .github/workflows/helm-vib-lint.yaml
================================================
name: Lint Helm Chart
on:
workflow_dispatch:
pull_request_target:
branches:
- main
- bitnami-labs:main
paths:
- 'helm/**'
env:
CSP_API_URL: https://console.tanzu.broadcom.com
CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
VIB_PUBLIC_URL: https://cp.app-catalog.vmware.com
jobs:
# make sure chart is linted/safe
vib-validate:
runs-on: ubuntu-latest
name: Lint chart
steps:
- uses: actions/checkout@v6.0.2
with:
ref: ${{github.event.pull_request.head.ref}}
repository: ${{github.event.pull_request.head.repo.full_name}}
- uses: vmware-labs/vmware-image-builder-action@v0.11.0
================================================
FILE: .github/workflows/helm-vib.yaml
================================================
name: Verify Helm Chart
on:
workflow_dispatch:
push:
branches:
- main
paths:
- 'helm/**'
env:
CSP_API_URL: https://console.tanzu.broadcom.com
CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
VIB_PUBLIC_URL: https://cp.app-catalog.vmware.com
jobs:
# verify chart in multiple target platforms
vib-k8s-verify:
runs-on: ubuntu-latest
environment: vmware-image-builder
strategy:
matrix:
include:
- name: Openshift
target-platform: openshift
target-platform-id: ebac9e0d-3931-4515-ba54-e6adada1f174
target-pipeline: vib-platform-verify-openshift.json
fail-fast: false
name: Verify chart (${{ matrix.name }})
steps:
- uses: actions/checkout@v6.0.2
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- uses: vmware-labs/vmware-image-builder-action@v0.11.0
with:
pipeline: ${{ matrix.target-pipeline }}
max-pipeline-duration: 7200
env:
TARGET_PLATFORM: ${{ matrix.target-platform-id }}
================================================
FILE: .github/workflows/publish-release.yaml
================================================
name: Publish Release
on:
workflow_dispatch:
inputs:
chart:
description: 'Chart version (e.g. 2.11.3)'
required: true
type: string
jobs:
chart-pr:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Config Git
run: |
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Fetch Versions
run: |
echo NEW_VERSION=$(git describe --tags --match "v[0-9]*" --abbrev=0 | tr -d v) >> "$GITHUB_ENV"
echo PREV_VERSION=$(grep appVersion helm/sealed-secrets/Chart.yaml | grep -o '[0-9.]*') >> "$GITHUB_ENV"
- name: Update Version
run: |
sed -i "s/version: .*/version: ${{ inputs.chart }}/" helm/sealed-secrets/Chart.yaml
sed -i "s/appVersion: .*/appVersion: $NEW_VERSION/" helm/sealed-secrets/Chart.yaml
sed -i "s/tag: .*/tag: $NEW_VERSION/" helm/sealed-secrets/values.yaml
sed -i "s/\`$PREV_VERSION\`/\`$NEW_VERSION\`/" helm/sealed-secrets/README.md
git checkout -B 'release-chart-${{ inputs.chart }}'
git add helm/sealed-secrets/Chart.yaml helm/sealed-secrets/values.yaml helm/sealed-secrets/README.md
git commit -sm 'Release chart ${{ inputs.chart }}'
git push origin 'release-chart-${{ inputs.chart }}'
- name: Create PR
run: gh pr create --fill --base main --repo $GITHUB_REPOSITORY
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
================================================
FILE: .github/workflows/release.yaml
================================================
name: Prepare Release
# Only release when a new GH release branch is pushed
on:
push:
branches:
- 'release/v[0-9]+.[0-9]+.[0-9]+'
jobs:
build:
runs-on: ubuntu-latest
env:
controller_dockerhub_image_name: docker.io/bitnami/sealed-secrets-controller
controller_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-controller
kubeseal_dockerhub_image_name: docker.io/bitnami/sealed-secrets-kubeseal
kubeseal_ghcr_image_name: ghcr.io/bitnami-labs/sealed-secrets-kubeseal
steps:
# Checkout and set env
- name: Checkout
uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- id: load-version
run: |
source $GITHUB_WORKSPACE/versions.env
echo "GO_VERSION=$GO_VERSION" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup kubecfg
run: |
mkdir -p ~/bin
curl -sLf https://github.com/kubecfg/kubecfg/releases/download/v0.26.0/kubecfg_Linux_X64 >~/bin/kubecfg
chmod +x ~/bin/kubecfg
- name: Install dependencies
run: |
go install gotest.tools/gotestsum@v1.8.1
# Run tests
- name: Tests
run: make test
# Generate K8s manifests
- name: K8s manifests
run: |
export PATH=~/bin:$PATH
RELEASE_BRANCH="${{ github.ref }}"
VERSION_TAG=$(echo "${RELEASE_BRANCH}" | awk -F'/' '{print $NF}')
echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
IMAGE_TAG=$(echo "${VERSION_TAG}" | sed 's/^v//')
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
make CONTROLLER_IMAGE=${{ env.controller_dockerhub_image_name }}:${IMAGE_TAG} controller.yaml controller-norbac.yaml
# Setup env for multi-arch builds
- name: Set up QEMU
uses: docker/setup-qemu-action@v2.0.0
with:
image: tonistiigi/binfmt:latest
platforms: arm64,arm
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2.0.0
# Setup Cosign
- name: Install Cosign
uses: sigstore/cosign-installer@v3.0.2
- name: Write Cosign key
run: echo "$COSIGN_KEY" > /tmp/cosign.key
env:
COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
# Tag for GoReleaser from release branch name
- name: Tag Release
run: |
git tag "${VERSION_TAG}"
# Build & Release binaries
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
if: success() && startsWith(github.ref, 'refs/heads/')
with:
distribution: goreleaser
version: v2.11.2
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
# Build & Publish multi-arch image
- name: Login to Docker Hub
uses: docker/login-action@v2.0.0
with:
username: ${{ secrets.BITNAMI_USERNAME }}
password: ${{ secrets.BITNAMI_PASSWORD }}
- name: Login to GHRC
uses: docker/login-action@v2.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker controller image
id: meta_controller
uses: docker/metadata-action@v4.0.1
with:
images: |
${{ env.controller_dockerhub_image_name }}
${{ env.controller_ghcr_image_name }}
tags: |
type=raw,value=${{ env.IMAGE_TAG }}
type=raw,value=latest
- name: Build and push controller image
id: docker_build_controller
uses: docker/build-push-action@v3.2.0
with:
context: .
file: ./docker/controller.Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm
push: true
tags: ${{ steps.meta_controller.outputs.tags }}
- name: Extract metadata (tags, labels) for Docker kubeseal image
id: meta_kubeseal
uses: docker/metadata-action@v4.0.1
with:
images: |
${{ env.kubeseal_dockerhub_image_name }}
${{ env.kubeseal_ghcr_image_name }}
tags: |
type=raw,value=${{ env.IMAGE_TAG }}
type=raw,value=latest
- name: Build and push kubeseal image
id: docker_build_kubeseal
uses: docker/build-push-action@v3.2.0
with:
context: .
file: ./docker/kubeseal.Dockerfile
platforms: linux/amd64,linux/arm64,linux/arm
push: true
tags: ${{ steps.meta_kubeseal.outputs.tags }}
- name: Sign controller image with a key in GHCR
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_CURRENT: ${{ steps.meta_controller.outputs.tags }}
COSIGN_REPOSITORY: ${{ env.controller_ghcr_image_name }}/signs
- name: Sign kubeseal image with a key in GHCR
run: |
echo -n "$COSIGN_PASSWORD" | cosign sign --key /tmp/cosign.key --yes $TAG_CURRENT
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
TAG_CURRENT: ${{ steps.meta_kubeseal.outputs.tags }}
COSIGN_REPOSITORY: ${{ env.kubeseal_ghcr_image_name }}/signs
================================================
FILE: .github/workflows/stale.yml
================================================
name: 'Close stale issues and PRs'
on:
schedule:
# Stalebot will be executed at 1:00 AM every day
- cron: '0 1 * * *'
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10.1.1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
close-issue-message: 'Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'
close-pr-message: 'Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Pull Request. Do not hesitate to reopen it later if necessary.'
days-before-stale: 15
days-before-close: 7
exempt-issue-labels: 'backlog,help wanted,triage'
exempt-pr-labels: 'backlog,help wanted,triage'
operations-per-run: 500
================================================
FILE: .gitignore
================================================
# Binaries for programs and plugins
*.exe
*.dll
*.so
*.dylib
# Test binary, build with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
.glide/
# Project-local vscode config
.vscode/
/controller
/kubeseal
/kubeseal-arm
/kubeseal-arm64
/controller.image
/controller.image.*
/kubeseal.image
/kubeseal.image.*
/pushed.controller.image.*
/pushed.kubeseal.image.*
/controller-manifest-*
/push-controller-image
/*-static
/*-static-*
/controller.yaml
/controller-norbac.yaml
/controller-podmonitor.yaml
/docker/controller
*.iml
.idea
# GoReleaser output dir
dist/
# Vendor folder
vendor/
report.xml
================================================
FILE: .golangci.yaml
================================================
# Inspired by https://gist.github.com/maratori/47a4d00457a92aa426dbd48a18776322
# output configuration options
output:
# Format: colored-line-number|line-number|json|tab|checkstyle|code-climate|junit-xml|github-actions
# Default: colored-line-number
format: checkstyle:report.xml,colored-line-number:stdout
# Options for analysis running.
run:
# Timeout for analysis, e.g. 30s, 5m.
# Default: 1m
timeout: 5m
# This file contains only configs which differ from defaults.
# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
linters-settings:
cyclop:
# The maximal code complexity to report.
# Default: 10
max-complexity: 30
# The maximal average package complexity.
# If it's higher than 0.0 (float) the check is enabled
# Default: 0.0
package-average: 10.0
errcheck:
# Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
# Such cases aren't reported by default.
# Default: false
check-type-assertions: true
# report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`.
# Such cases aren't reported by default.
# Default: false
check-blank: true
exhaustive:
# Program elements to check for exhaustiveness.
# Default: [ switch ]
check:
- switch
- map
exhaustruct:
# List of regular expressions to exclude struct packages and names from check.
# Default: []
exclude:
# std libs
- "^net/http.Client$"
- "^net/http.Cookie$"
- "^net/http.Request$"
- "^net/http.Response$"
- "^net/http.Server$"
- "^net/http.Transport$"
- "^net/url.URL$"
- "^os/exec.Cmd$"
- "^reflect.StructField$"
# public libs (add more if needed)
funlen:
# Checks the number of lines in a function.
# If lower than 0, disable the check.
# Default: 60
lines: 100
# Checks the number of statements in a function.
# If lower than 0, disable the check.
# Default: 40
statements: 50
gocognit:
# Minimal code complexity to report.
# Default: 30 (but we recommend 10-20)
min-complexity: 20
goconst:
# Minimal length of string constant.
# Default: 3
min-len: 2
# Minimum occurrences of constant string count to trigger issue.
# Default: 3
min-occurrences: 2
# Search also for duplicated numbers.
# Default: false
numbers: true
# Minimum value, only works with goconst.numbers
# Default: 3
min: 2
gocritic:
# Settings passed to gocritic.
# The settings key is the name of a supported gocritic checker.
# The list of supported checkers can be find in https://go-critic.github.io/overview.
settings:
captLocal:
# Whether to restrict checker to params only.
# Default: true
paramsOnly: false
underef:
# Whether to skip (*x).method() calls where x is a pointer receiver.
# Default: true
skipRecvDeref: false
gomnd:
# List of function patterns to exclude from analysis.
# Values always ignored: `time.Date`,
# `strconv.FormatInt`, `strconv.FormatUint`, `strconv.FormatFloat`,
# `strconv.ParseInt`, `strconv.ParseUint`, `strconv.ParseFloat`.
# Default: []
ignored-functions:
- os.Chmod
- os.Mkdir
- os.MkdirAll
- os.OpenFile
- os.WriteFile
- math.*
- http.StatusText
govet:
# Enable all analyzers.
# Default: false
enable-all: true
# Disable analyzers by name.
# Run `go tool vet help` to see all analyzers.
# Default: []
disable:
- fieldalignment # too strict, it warns about struct fields that are not aligned by size
# Settings per analyzer.
settings:
shadow:
# Whether to be strict about shadowing; can be noisy.
# Default: false
strict: true
nakedret:
# Make an issue if func has more lines of code than this setting, and it has naked returns.
# Default: 30
max-func-lines: 0
nestif:
# Minimal complexity of if statements to report.
# Default: 5
min-complexity: 4
nolintlint:
# Exclude following linters from requiring an explanation.
# Default: []
allow-no-explanation: [funlen, gocognit, lll]
# Enable to require an explanation of nonzero length after each nolint directive.
# Default: false
require-explanation: true
# Enable to require nolint directives to mention the specific linter being suppressed.
# Default: false
require-specific: true
lll:
# Max line length, lines longer will be reported.
# '\t' is counted as 1 character by default, and can be changed with the tab-width option.
# Default: 120.
line-length: 240
rowserrcheck:
# database/sql is always checked
# Default: []
packages:
- github.com/jmoiron/sqlx
tenv:
# The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
# Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
# Default: false
all: true
varnamelen:
# The minimum length of a variable's name that is considered "long".
# Variable names that are at least this long will be ignored.
# Default: 3
min-name-length: 2
# Check method receivers.
# Default: false
# Ignore "ok" variables that hold the bool return value of a type assertion.
# Default: false
ignore-type-assert-ok: true
# Ignore "ok" variables that hold the bool return value of a map index.
# Default: false
ignore-map-index-ok: true
# Ignore "ok" variables that hold the bool return value of a channel receive.
# Default: false
ignore-chan-recv-ok: true
godot:
# Check periods at the end of sentences.
period: false
linters:
disable-all: true
enable:
#- errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
- gosimple # specializes in simplifying a code
#- govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
- ineffassign # detects when assignments to existing variables are not used
- staticcheck # is a go vet on steroids, applying a ton of static analysis checks
- typecheck # like the front-end of a Go compiler, parses and type-checks Go code
- unused # checks for unused constants, variables, functions and types
- asasalint # checks for pass []any as any in variadic func(...any)
- asciicheck # checks that your code does not contain non-ASCII identifiers
- bidichk # checks for dangerous unicode character sequences
- bodyclose # checks whether HTTP response body is closed successfully
#- cyclop # checks function and package cyclomatic complexity
#- dupl # tool for code clone detection
- durationcheck # checks for two durations multiplied together
- errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error
#- errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13
#- execinquery # checks query string in Query function which reads your Go src files and warning it finds
- exhaustive # checks exhaustiveness of enum switch statements
#- exportloopref # checks for pointers to enclosing loop variables
#- forbidigo # forbids identifiers
#- funlen # tool for detection of long functions
#- gochecknoinits # checks that no init functions are present in Go code
#- gocognit # computes and checks the cognitive complexity of functions
#- goconst # finds repeated strings that could be replaced by a constant
#- gocritic # provides diagnostics that check for bugs, performance and style issues
#- gocyclo # computes and checks the cyclomatic complexity of functions
- godot # checks if comments end in a period
- goimports # in addition to fixing imports, goimports also formats your code in the same style as gofmt
#- gomnd # detects magic numbers
- gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod
- gomodguard # allow and block lists linter for direct Go module dependencies. This is different from depguard where there are different block types for example version constraints and module recommendations
- goprintffuncname # checks that printf-like functions are named with f at the end
#- gosec # inspects source code for security problems
#- lll # reports long lines
- loggercheck # checks key value pairs for common logger libraries (kitlog,klog,logr,zap)
#- makezero # finds slice declarations with non-zero initial length
- nakedret # finds naked returns in functions greater than a specified function length
#- nestif # reports deeply nested if statements
#- nilerr # finds the code that returns nil even if it checks that the error is not nil
- nilnil # checks that there is no simultaneous return of nil error and an invalid value
#- noctx # finds sending http request without context.Context
- nolintlint # reports ill-formed or insufficient nolint directives
#- nonamedreturns # reports all named returns
- nosprintfhostport # checks for misuse of Sprintf to construct a host with port in a URL
#- predeclared # finds code that shadows one of Go's predeclared identifiers
- promlinter # checks Prometheus metrics naming via promlint
- reassign # checks that package variables are not reassigned
#- revive # fast, configurable, extensible, flexible, and beautiful linter for Go, drop-in replacement of golint
- rowserrcheck # checks whether Err of rows is checked successfully
- sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
#- stylecheck # is a replacement for golint
- tenv # detects using os.Setenv instead of t.Setenv since Go1.17
- testableexamples # checks if examples are testable (have an expected output)
#- testpackage # makes you use a separate _test package
- tparallel # detects inappropriate usage of t.Parallel() method in your Go test codes
- unconvert # removes unnecessary type conversions
#- unparam # reports unused function parameters
- usestdlibvars # detects the possibility to use variables/constants from the Go standard library
- wastedassign # finds wasted assignment statements
- whitespace # detects leading and trailing whitespace
## you may want to enable
- decorder # checks declaration order and count of types, constants, variables and functions
#- gci # controls golang package import order and makes it always deterministic
- goheader # checks is file header matches to pattern
- interfacebloat # checks the number of methods inside an interface
#- prealloc # [premature optimization, but can be used in some cases] finds slice declarations that could potentially be preallocated
#- varnamelen # [great idea, but too many false positives] checks that the length of a variable's name matches its scope
#- wrapcheck # checks that errors returned from external packages are wrapped
#- containedctx # detects struct contained context.Context field
- contextcheck # [too many false positives] checks the function whether use a non-inherited context
- dogsled # checks assignments with too many blank identifiers (e.g. x, _, _, _, := f())
#- dupword # [useless without config] checks for duplicate words in the source code
- errchkjson # [don't see profit + I'm against of omitting errors like in the first example https://github.com/breml/errchkjson] checks types passed to the json encoding functions. Reports unsupported types and optionally reports occasions, where the check for the returned error can be omitted
#- goerr113 # [too strict] checks the errors handling expressions
- grouper # analyzes expression groups
- importas # enforces consistent import aliases
- maintidx # measures the maintainability index of each function
- misspell # [useless] finds commonly misspelled English words in comments
#- nlreturn # [too strict and mostly code is not more readable] checks for a new line before return and branch statements to increase code clarity
#- paralleltest # [too many false positives] detects missing usage of t.Parallel() method in your Go test
- tagliatelle # checks the struct tags
#- thelper # detects golang test helpers without t.Helper() call and checks the consistency of test helpers
#- wsl # [too strict and mostly code is not more readable] whitespace linter forces you to use empty lines
## disabled
# - exhaustruct # [highly recommend to enable] checks if all structure fields are initialized
# - godox # detects FIXME, TODO and other comment keywords
# - gochecknoglobals # checks that no global variables exist
# - ireturn # accept interfaces, return concrete types
issues:
# Maximum count of issues with the same text.
# Set to 0 to disable.
# Default: 3
max-same-issues: 0
================================================
FILE: .goreleaser.yml
================================================
project_name: sealed-secrets
env:
- CGO_ENABLED=0
builds:
- binary: controller
id: controller
main: ./cmd/controller
ldflags:
- -X main.VERSION={{ .Version }}
targets:
- darwin_amd64
- darwin_arm64
- linux_amd64
- linux_arm64
- linux_arm
- windows_amd64
- binary: kubeseal
id: kubeseal
main: ./cmd/kubeseal
ldflags:
- -X main.VERSION={{ .Version }}
targets:
- darwin_amd64
- darwin_arm64
- linux_amd64
- linux_arm64
- linux_arm
- windows_amd64
archives:
- builds:
- kubeseal
name_template: "kubeseal-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
checksum:
algorithm: sha256
changelog:
sort: asc
filters:
exclude:
- '^docs:'
- '^helm:'
- '^integration:'
- '^vendor_jsonnet:'
signs:
- cmd: cosign
stdin: '{{ .Env.COSIGN_PASSWORD }}'
output: true
artifacts: all
args:
- 'sign-blob'
- '--key=/tmp/cosign.key'
- '--output-signature=${signature}'
- '--yes'
- '${artifact}'
release:
name_template: "{{ .ProjectName }}-v{{ .Version }}"
header: |
## v{{ .Version }} ({{ .Date }})
New v{{ .Version }} release!
footer: |
## Installation Instructions
### Cluster-side
Install the SealedSecret CRD and server-side controller into the `kube-system` namespace:
```sh
kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v{{ .Version }}/controller.yaml
```
### Client-side
Install the client-side tool into `/usr/local/bin/`:
**Linux x86_64:**
```sh
curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v{{ .Version }}/kubeseal-{{ .Version }}-linux-amd64.tar.gz"
tar -xvzf kubeseal-{{ .Version }}-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
```
**macOS:**
The `kubeseal` client is available on [homebrew](https://formulae.brew.sh/formula/kubeseal):
```sh
brew install kubeseal
```
**MacPorts:**
The `kubeseal` client is available on [MacPorts](https://ports.macports.org/port/kubeseal/summary):
```sh
port install kubeseal
```
#### Nixpkgs
The `kubeseal` client is available on [Nixpkgs](https://search.nixos.org/packages?channel=unstable&show=kubeseal&from=0&size=50&sort=relevance&type=packages&query=kubeseal): (**DISCLAIMER**: Not maintained by bitnami-labs)
```sh
nix-env -iA nixpkgs.kubeseal
```
**Other OS/Arch:**
Binaries for other OS/arch combinations are attached to this release below.
If you just want the latest client tool, it can be installed into
`$GOPATH/bin` with:
```sh
go install github.com/bitnami-labs/sealed-secrets/cmd/kubeseal@main
```
You can specify a release tag or a commit SHA instead of `main`.
The `go install` command will place the `kubeseal` binary at `$GOPATH/bin`:
```sh
$(go env GOPATH)/bin/kubeseal
```
## Release Notes
Please read the [RELEASE_NOTES](https://github.com/bitnami-labs/sealed-secrets/blob/main/RELEASE-NOTES.md) which contain among other things important information for those upgrading from previous releases.
## Thanks!
extra_files:
- glob: ./controller.yaml
- glob: ./controller-norbac.yaml
- glob: ./.github/workflows/cosign.pub
================================================
FILE: .vib/vib-pipeline.json
================================================
{
"phases": {
"package": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/helm/sealed-secrets"
}
},
"actions": [
{
"action_id": "helm-package"
},
{
"action_id": "helm-lint"
}
]
},
"verify": {
"context": {
"runtime_parameters": "IyMgQ3JlYXRlIFNlYWxlZCBTZWNyZXRzIGNvbnRyb2xsZXIgc2hvdWxkIGJlIGNyZWF0ZWQKY3JlYXRlQ29udHJvbGxlcjogdHJ1ZQojIyBTZWNyZXQgY29udGFpbmluZyB0aGUga2V5IHVzZWQgdG8gZW5jcnlwdCBzZWNyZXRzCnNlY3JldE5hbWU6ICJzZWFsZWQtc2VjcmV0cy1rZXkiCiMjIFJlbmV3IGtleXMgZXZlcnkgd2VlawprZXlyZW5ld3BlcmlvZDogIjE2OGgiCg=="
},
"actions": [
{
"action_id": "trivy",
"params": {
"threshold": "CRITICAL",
"vuln_type": ["OS"]
}
}
]
}
}
}
================================================
FILE: .vib/vib-platform-verify-openshift.json
================================================
{
"phases": {
"package": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/helm/sealed-secrets"
}
},
"actions": [
{
"action_id": "helm-package"
}
]
},
"verify": {
"context": {
"resources": {
"url": "{SHA_ARCHIVE}",
"path": "/.vib/"
},
"runtime_parameters": "IyMgQ3JlYXRlIFNlYWxlZCBTZWNyZXRzIGNvbnRyb2xsZXIgc2hvdWxkIGJlIGNyZWF0ZWQKY3JlYXRlQ29udHJvbGxlcjogdHJ1ZQojIyBTZWNyZXQgY29udGFpbmluZyB0aGUga2V5IHVzZWQgdG8gZW5jcnlwdCBzZWNyZXRzCnNlY3JldE5hbWU6ICJzZWFsZWQtc2VjcmV0cy1rZXkiCiMjIFJlbmV3IGtleXMgZXZlcnkgd2VlawprZXlyZW5ld3BlcmlvZDogIjE2OGgiCmNvbnRhaW5lclNlY3VyaXR5Q29udGV4dDoKICBlbmFibGVkOiB0cnVlCiAgcmVhZE9ubHlSb290RmlsZXN5c3RlbTogdHJ1ZQogIHJ1bkFzTm9uUm9vdDogdHJ1ZQogIHJ1bkFzVXNlcjogbnVsbApwb2RTZWN1cml0eUNvbnRleHQ6CiAgZW5hYmxlZDogZmFsc2UKc2VydmljZToKICB0eXBlOiBMb2FkQmFsYW5jZXIKICBwb3J0OiA4MAo=",
"target_platform": {
"target_platform_id": "{TARGET_PLATFORM}"
}
},
"actions": [
{
"action_id": "health-check",
"params": {
"endpoint": "lb-sealed-secrets-http"
}
}
]
}
}
}
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
sealed-secrets.pdl@broadcom.com.
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing Guidelines
Contributions are welcome via GitHub Pull Requests. This document outlines the process to help get your contribution accepted.
Any type of contribution is welcome; from new features, bug fixes, or documentation improvements. However, VMware/Bitnami will review the proposals and perform a triage over them. By doing so, we will ensure that the most valuable contributions for the community will be implemented in due time.
## How to Contribute
1. Fork this repository, develop, and test your changes.
2. Submit a pull request.
### Technical Requirements
When submitting a PR make sure that it:
- Must pass CI jobs for linting and test the changes on top of different k8s platforms.
- Must follow [Golang best practices](https://go.dev/doc/effective_go).
- Is signed off with the line `Signed-off-by: <Your-Name> <Your-email>`. See [related GitHub blogpost about signing off](https://github.blog/changelog/2022-06-08-admins-can-require-sign-off-on-web-based-commits/).
> Note: Signing off on a commit is different than signing a commit, such as with a GPG key.
### PR Approval
1. Changes are manually reviewed by VMware/Bitnami team members.
2. When the PR passes all tests, the PR is merged by the reviewer(s) in the GitHub `main` branch.
### Release process
The release process is based upon periodic release trains.
#### Schedule
Releases happen monthly. A release train "leaves" on the 15th of each month, or the closest working date to that.
#### Creation
First of all, prepare the release notes as usual, and merge them.
Once the release notes are ready, a release train is launched by *branching* from `main` to `release/vX.Y.Z`.
#### Validation
The `release/vX.Y.Z` branch will go through the release CI. GoReleaser requires a tag to build a release, so one will be produced automatically from the release branch name `vX.Y.Z`.
If anything fails the release branch is dropped, the issue fixed in `main` and a new release train is started on a new branch.
#### Tracking
Once the release passes all validations and is published, it is merged into `released`.
Note that currently the release process is done in 2 steps, first the container images, then the chart using them. Both events must be merged in the `released` branch.
#### Hot-fixing releases
If there is a need to urgently fix a show-stopper issue in the latest released version. There is no need to wait for the next release train for a new release to happen.
Unless there is a strong reason not to, a fix can be merged into `main` directly, followed by a regular release process.
If doing the fix in main is a "no go" for some reason, for instance, a new change already in `main` makes the bug to be urgently fixed even worse, then the fix must happen from the latest released code to proceed ASAP:
* Create a `hotfix/YYYYMMDD` branch as a copy of `released`. The `YYYYMMDD` suffix is an ISO-8601 timestamp, for tracking purposes.
* Branch off `hotfix/YYYYMMDD` to work on the fix. As a regular PR, you might name the fix branch with a descriptive name for the bug being fixed.
* Once the fix is approved and tested as successful, merge into `hotfix/YYYYMMDD`.
* Push `hostfix/YYYYMMDD` as a `release/vX.Y.Z` to kick off a release train.
* If the release fails for any reason, fix it in `hostfix/YYYYMMDD`, merge and push another `release/vX.Y.Z'` branch.
* Once a hotfix release completes successfully, merge the `release/vX.Y.Z` as `released` as per normal procedure.
* *Backport the hotfix into the `main` including the tests added to detected regressions* of that bug going forward.
* Finally, `hotfix/YYYYMMDD` can be kept around for tracking or historical purposes.
Note that, in either case, the release notes must clarify this was a hotfix our of the regular release train schedule.
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: MAINTAINERS.md
================================================
# Sealed Secrets Maintainers
## Maintainers
| Maintainer | GitHub ID | Affiliation |
| ------------------ | --------------------------------------------------- | ---------------------------------------: |
| Alvaro Neira Ayuso | [alvneiayu](https://github.com/alvneiayu) | [VMware](https://www.github.com/vmware/) |
| Alejandro Moreno | [alemorcuq](https://github.com/alemorcuq) | [VMware](https://www.github.com/vmware/) |
| Alfredo Garcia | [agarcia-oss](https://github.com/agarcia-oss) | [VMware](https://www.github.com/vmware/) |
## Emeritus Maintainers
- Angus Lees ([anguslees](https://github.com/anguslees))
- Marko Mikulicic ([mkmik](https://github.com/mkmik))
- Juan Ariza ([juan131](https://github.com/juan131))
- Jose Vazquez ([josvazg](https://github.com/josvazg))
---
Full list of [Sealed Secrets contributors](https://github.com/bitnami-labs/sealed-secrets/graphs/contributors).
================================================
FILE: Makefile
================================================
GO = go
GOTESTSUM = gotestsum
GOFMT = gofmt
GOLANGCILINT=golangci-lint -vv
GOSEC=gosec
export GO111MODULE = on
GO_FLAGS =
KUBECFG = kubecfg
DOCKER = docker
GINKGO = ginkgo -p
CONTROLLER_GEN ?= go run sigs.k8s.io/controller-tools/cmd/controller-gen@latest
REGISTRY ?= docker.io
CONTROLLER_IMAGE = $(REGISTRY)/bitnami/sealed-secrets-controller:latest
KUBESEAL_IMAGE = $(REGISTRY)/bitnami/sealed-secrets-kubeseal:latest
INSECURE_REGISTRY = false # useful for local registry
IMAGE_PULL_POLICY =
KUBECONFIG ?= $(HOME)/.kube/config
GO_PACKAGES = ./...
GO_FILES := $(shell find $(shell $(GO) list -f '{{.Dir}}' $(GO_PACKAGES)) -name \*.go)
COMMIT = $(shell git rev-parse HEAD)
TAG = $(shell git describe --exact-match --abbrev=0 --tags '$(COMMIT)' 2> /dev/null || true)
DIRTY = $(shell git diff --shortstat 2> /dev/null | tail -n1)
# Use a tag if set, otherwise use the commit hash
ifeq ($(TAG),)
VERSION := $(COMMIT)
else
VERSION := $(TAG)
endif
GOOS = $(shell go env GOOS)
GOARCH = $(shell go env GOARCH)
# Check for changed files
ifneq ($(DIRTY),)
VERSION := $(VERSION)+dirty
endif
GO_LD_FLAGS = -X main.VERSION=$(VERSION)
all: controller kubeseal
generate:
$(GO) mod vendor
./hack/update-codegen.sh
rm -rf vendor
manifests:
$(CONTROLLER_GEN) crd:generateEmbeddedObjectMeta=true paths="./pkg/apis/..." output:stdout | tail -n +2 > helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml
yq '.spec.versions[0].schema' < helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml > schema-v1alpha1.yaml
controller: $(GO_FILES)
$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/controller
kubeseal: $(GO_FILES)
$(GO) build -o $@ $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/kubeseal
define binary
$(1)-static-$(2)-$(3): $(GO_FILES)
GOOS=$(2) GOARCH=$(3) CGO_ENABLED=0 $(GO) build -o $$@ -installsuffix cgo $(GO_FLAGS) -ldflags "$(GO_LD_FLAGS)" ./cmd/$(1)
endef
define binaries
$(call binary,controller,$1,$2)
$(call binary,kubeseal,$1,$2)
endef
$(eval $(call binaries,linux,amd64))
$(eval $(call binaries,linux,arm64))
$(eval $(call binaries,linux,arm))
$(eval $(call binaries,darwin,amd64))
$(eval $(call binary,kubeseal,windows,amd64))
controller-static: controller-static-$(GOOS)-$(GOARCH)
cp $< $@
kubeseal-static: kubeseal-static-$(GOOS)-$(GOARCH)
cp $< $@
define image
$(1).image.$(3)-$(4): docker/$(1).Dockerfile $(1)-static-$(3)-$(4)
mkdir -p dist/$(1)_$(3)_$(4)
cp $(1)-static-$(3)-$(4) dist/$(1)_$(3)_$(4)/$(1)
$(DOCKER) build --build-arg TARGETARCH=$(4) -t $(2)-$(3)-$(4) -f docker/$(1).Dockerfile .
@echo $(2)-$(3)-$(4) >$$@.tmp
@mv $$@.tmp $$@
endef
define images
$(call image,controller,${CONTROLLER_IMAGE},$1,$2)
$(call image,kubeseal,${KUBESEAL_IMAGE},$1,$2)
endef
$(eval $(call images,linux,amd64))
$(eval $(call images,linux,arm64))
$(eval $(call images,linux,arm))
%.yaml: %.jsonnet
$(KUBECFG) show -V CONTROLLER_IMAGE=$(CONTROLLER_IMAGE) -V IMAGE_PULL_POLICY=$(IMAGE_PULL_POLICY) -o yaml $< > $@.tmp
mv $@.tmp $@
controller.yaml: controller.jsonnet controller-norbac.jsonnet schema-v1alpha1.yaml kube-fixes.libsonnet
controller-norbac.yaml: controller-norbac.jsonnet schema-v1alpha1.yaml kube-fixes.libsonnet
controller-podmonitor.yaml: controller.jsonnet controller-norbac.jsonnet schema-v1alpha1.yaml kube-fixes.libsonnet
test:
$(GOTESTSUM) $(GO_FLAGS) --junitfile report.xml --format testname -- "-coverprofile=coverage.out" $(GO_PACKAGES)
integrationtest: kubeseal controller
# Assumes a k8s cluster exists, with controller already installed
$(GINKGO) -tags 'integration' integration -- -kubeconfig $(KUBECONFIG) -kubeseal-bin $(abspath $<) -controller-bin $(abspath $(word 2,$^))
vet:
# known issue:
# pkg/client/clientset/versioned/fake/clientset_generated.go:46: literal copies lock value from fakePtr
$(GO) vet $(GO_FLAGS) -copylocks=false $(GO_PACKAGES)
fmt:
$(GOFMT) -s -w $(GO_FILES)
lint:
$(GOLANGCILINT) run --enable goimports --timeout=5m
lint-gosec:
$(GOSEC) -r -severity low -exclude-generated
clean:
$(RM) ./controller ./kubeseal
$(RM) *-static*
$(RM) controller*.yaml
$(RM) controller.image*
check-k8s:
scripts/check-k8s
push-controller: clean check-k8s controller.image.$(OS)-$(ARCH)
docker tag $(CONTROLLER_IMAGE)-$(OS)-$(ARCH) $(CONTROLLER_IMAGE)
ifeq ($(REGISTRY),docker.io)
echo "Skip push: docker.io registry means minikube"
else
docker push $(CONTROLLER_IMAGE)
endif
apply-controller-manifests: clean check-k8s controller.yaml
kubectl apply -f controller.yaml
kubectl rollout status deployment sealed-secrets-controller -n kube-system
controller-tests: test push-controller apply-controller-manifests clean integrationtest
.PHONY: all kubeseal controller test clean vet fmt lint-gosec
.PHONY: controllertests check-k8s push-controller apply-controller-manifests
================================================
FILE: README.md
================================================
# "Sealed Secrets" for Kubernetes
[](#Installation)
[](https://github.com/bitnami-labs/sealed-secrets/releases/latest)
[](https://formulae.brew.sh/formula/kubeseal)
[](https://github.com/bitnami-labs/sealed-secrets/actions/workflows/ci.yml)
[](https://github.com/bitnami-labs/sealed-secrets/releases)
[](https://hub.docker.com/r/bitnami/sealed-secrets-controller)
[](https://goreportcard.com/report/github.com/bitnami-labs/sealed-secrets)
**Problem:** "I can manage all my K8s config in git, except Secrets."
**Solution:** Encrypt your Secret into a SealedSecret, which *is* safe
to store - even inside a public repository. The SealedSecret can be
decrypted only by the controller running in the target cluster and
nobody else (not even the original author) is able to obtain the
original Secret from the SealedSecret.
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
- [Overview](#overview)
- [SealedSecrets as templates for secrets](#sealedsecrets-as-templates-for-secrets)
- [Public key / Certificate](#public-key--certificate)
- [Scopes](#scopes)
- [Installation](#installation)
- [Installation in Restricted Environments (No RBAC)](#installation-in-restricted-environments-no-rbac)
- [Controller](#controller)
- [Kustomize](#kustomize)
- [Helm Chart](#helm-chart)
- [Helm Chart on a restricted environment](#helm-chart-on-a-restricted-environment)
- [Kubeseal](#kubeseal)
- [Homebrew](#homebrew)
- [MacPorts](#macports)
- [Nixpkgs](#nixpkgs)
- [Linux](#linux)
- [Installation from source](#installation-from-source)
- [Upgrade](#upgrade)
- [Supported Versions](#supported-versions)
- [Compatibility with Kubernetes versions](#compatibility-with-kubernetes-versions)
- [Usage](#usage)
- [Managing existing secrets](#managing-existing-secrets)
- [Patching existing secrets](#patching-existing-secrets)
- [Seal secret which can skip set owner references](#seal-secret-which-can-skip-set-owner-references)
- [Update existing secrets](#update-existing-secrets)
- [Raw mode (experimental)](#raw-mode-experimental)
- [Validate a Sealed Secret](#validate-a-sealed-secret)
- [Secret Rotation](#secret-rotation)
- [Sealing key renewal](#sealing-key-renewal)
- [Key registry init priority order](#key-registry-init-priority-order)
- [User secret rotation](#user-secret-rotation)
- [Early key renewal](#early-key-renewal)
- [Common misconceptions about key renewal](#common-misconceptions-about-key-renewal)
- [Manual key management (advanced)](#manual-key-management-advanced)
- [Re-encryption (advanced)](#re-encryption-advanced)
- [Details (advanced)](#details-advanced)
- [Crypto](#crypto)
- [Developing](#developing)
- [FAQ](#faq)
- [Can I encrypt multiple secrets at once, in one YAML / JSON file?](#can-i-encrypt-multiple-secrets-at-once-in-one-yaml--json-file)
- [Will you still be able to decrypt if you no longer have access to your cluster?](#will-you-still-be-able-to-decrypt-if-you-no-longer-have-access-to-your-cluster)
- [How can I do a backup of my SealedSecrets?](#how-can-i-do-a-backup-of-my-sealedsecrets)
- [Can I decrypt my secrets offline with a backup key?](#can-i-decrypt-my-secrets-offline-with-a-backup-key)
- [What flags are available for kubeseal?](#what-flags-are-available-for-kubeseal)
- [How do I update parts of JSON/YAML/TOML/.. file encrypted with sealed secrets?](#how-do-i-update-parts-of-jsonyamltoml-file-encrypted-with-sealed-secrets)
- [Can I bring my own (pre-generated) certificates?](#can-i-bring-my-own-pre-generated-certificates)
- [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace)
- [How to verify the images?](#how-to-verify-the-images)
- [How to use one controller for a subset of namespaces](#how-to-use-one-controller-for-a-subset-of-namespaces)
- [Can I configure the Controller unseal retries?](#can-i-configure-the-controller-unseal-retries)
- [How to manage SealedSecrets across the cluster or specific namespaces?](#how-to-manage-sealedsecrets-across-the-cluster-or-specific-namespaces)
- [Community](#community)
- [Related projects](#related-projects)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
## Overview
Sealed Secrets is composed of two parts:
- A cluster-side controller / operator
- A client-side utility: `kubeseal`
The `kubeseal` utility uses asymmetric crypto to encrypt secrets that only the controller can decrypt.
These encrypted secrets are encoded in a `SealedSecret` resource, which you can see as a recipe for creating
a secret. Here is how it looks:
```yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
namespace: mynamespace
spec:
encryptedData:
foo: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq.....
```
Once unsealed this will produce a secret equivalent to this:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: mynamespace
data:
foo: YmFy # <- base64 encoded "bar"
```
This normal [kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) will appear in the cluster
after a few seconds you can use it as you would use any secret that you would have created directly (e.g. reference it from a `Pod`).
Jump to the [Installation](#installation) section to get up and running.
The [Usage](#usage) section explores in more detail how you craft `SealedSecret` resources.
### SealedSecrets as templates for secrets
The previous example only focused on the encrypted secret items themselves, but the relationship between a `SealedSecret` custom resource and the `Secret` it unseals into is similar in many ways (but not in all of them) to the familiar `Deployment` vs `Pod`.
In particular, the annotations and labels of a `SealedSecret` resource are not the same as the annotations of the `Secret` that gets generated out of it.
To capture this distinction, the `SealedSecret` object has a `template` section which encodes all the fields you want the controller to put in the unsealed `Secret`.
The [Sprig function library](https://masterminds.github.io/sprig/) is available (except for `env`, `expandenv` and `getHostByName`) in addition to the default Go Text Template functions.
The `metadata` block is copied as is (the `ownerReference` field will be updated [unless disabled](#seal-secret-which-can-skip-set-owner-references)).
Other secret fields are handled individually. The `type` and `immutable` fields are copied, and the `data` field can be used to [template complex values](docs/examples/config-template) on the `Secret`. All other fields are currently ignored.
```yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
namespace: mynamespace
annotations:
"kubectl.kubernetes.io/last-applied-configuration": ....
spec:
encryptedData:
.dockerconfigjson: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq.....
template:
type: kubernetes.io/dockerconfigjson
immutable: true
# this is an example of labels and annotations that will be added to the output secret
metadata:
labels:
"jenkins.io/credentials-type": usernamePassword
annotations:
"jenkins.io/credentials-description": credentials from Kubernetes
```
The controller would unseal that into something like:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
namespace: mynamespace
labels:
"jenkins.io/credentials-type": usernamePassword
annotations:
"jenkins.io/credentials-description": credentials from Kubernetes
ownerReferences:
- apiVersion: bitnami.com/v1alpha1
controller: true
kind: SealedSecret
name: mysecret
uid: 5caff6a0-c9ac-11e9-881e-42010aac003e
type: kubernetes.io/dockerconfigjson
immutable: true
data:
.dockerconfigjson: ewogICJjcmVk...
```
As you can see, the generated `Secret` resource is a "dependent object" of the `SealedSecret` and as such
it will be updated and deleted whenever the `SealedSecret` object gets updated or deleted.
### Public key / Certificate
The key certificate (public key portion) is used for sealing secrets,
and needs to be available wherever `kubeseal` is going to be
used. The certificate is not secret information, although you need to
ensure you are using the correct one.
`kubeseal` will fetch the certificate from the controller at runtime
(requires secure access to the Kubernetes API server), which is
convenient for interactive use, but it's known to be brittle when users
have clusters with special configurations such as [private GKE clusters](docs/GKE.md#private-gke-clusters) that have
firewalls between control plane and nodes.
An alternative workflow
is to store the certificate somewhere (e.g. local disk) with
`kubeseal --fetch-cert >mycert.pem`,
and use it offline with `kubeseal --cert mycert.pem`.
The certificate is also printed to the controller log on startup.
Since v0.9.x certificates get automatically renewed every 30 days. It's good practice that you and your team
update your offline certificate periodically. To help you with that, since v0.9.2 `kubeseal` accepts URLs too. You can set up your internal automation to publish certificates somewhere you trust.
```bash
kubeseal --cert https://your.intranet.company.com/sealed-secrets/your-cluster.cert
```
It also recognizes the `SEALED_SECRETS_CERT` env var. (pro-tip: see also [direnv](https://github.com/direnv/direnv)).
> **NOTE**: we are working on providing key management mechanisms that offload the encryption to HSM based modules or managed cloud crypto solutions such as KMS.
### Scopes
SealedSecrets are from the POV of an end user a "write only" device.
The idea is that the SealedSecret can be decrypted only by the controller running in the target cluster and
nobody else (not even the original author) is able to obtain the original Secret from the SealedSecret.
The user may or may not have direct access to the target cluster.
More specifically, the user might or might not have access to the Secret unsealed by the controller.
There are many ways to configure RBAC on k8s, but it's quite common to forbid low-privilege users
from reading Secrets. It's also common to give users one or more namespaces where they have higher privileges,
which would allow them to create and read secrets (and/or create deployments that can reference those secrets).
Encrypted `SealedSecret` resources are designed to be safe to be looked at without gaining any knowledge about the secrets it conceals. This implies that we cannot allow users to read a SealedSecret meant for a namespace they wouldn't have access to
and just push a copy of it in a namespace where they can read secrets from.
Sealed-secrets thus behaves *as if* each namespace had its own independent encryption key and thus once you
seal a secret for a namespace, it cannot be moved in another namespace and decrypted there.
We don't technically use an independent private key for each namespace, but instead we *include* the namespace name
during the encryption process, effectively achieving the same result.
Furthermore, namespaces are not the only level at which RBAC configurations can decide who can see which secret. In fact, it's possible that users can access a secret called `foo` in a given namespace but not any other secret in the same namespace. We cannot thus by default let users freely rename `SealedSecret` resources otherwise a malicious user would be able to decrypt any SealedSecret for that namespace by just renaming it to overwrite the one secret user does have access to. We use the same mechanism used to include the namespace in the encryption key to also include the secret name.
That said, there are many scenarios where you might not care about this level of protection. For example, the only people who have access to your clusters are either admins or they cannot read any `Secret` resource at all. You might have a use case for moving a sealed secret to other namespaces (e.g. you might not know the namespace name upfront), or you might not know the name of the secret (e.g. it could contain a unique suffix based on the hash of the contents etc).
These are the possible scopes:
- `strict` (default): the secret must be sealed with exactly the same *name* and *namespace*. These attributes become *part of the encrypted data* and thus changing name and/or namespace would lead to "decryption error".
- `namespace-wide`: you can freely *rename* the sealed secret within a given namespace.
- `cluster-wide`: the secret can be unsealed in *any* namespace and can be given *any* name.
In contrast to the restrictions of *name* and *namespace*, secret *items* (i.e. JSON object keys like `spec.encryptedData.my-key`) can be renamed at will without losing the ability to decrypt the sealed secret.
The scope is selected with the `--scope` flag:
```bash
kubeseal --scope cluster-wide <secret.yaml >sealed-secret.json
```
It's also possible to request a scope via annotations in the input secret you pass to `kubeseal`:
- `sealedsecrets.bitnami.com/namespace-wide: "true"` -> for `namespace-wide`
- `sealedsecrets.bitnami.com/cluster-wide: "true"` -> for `cluster-wide`
The lack of any of such annotations means `strict` mode. If both are set, `cluster-wide` takes precedence.
> NOTE: Next release will consolidate this into a single `sealedsecrets.bitnami.com/scope` annotation.
## Installation
See https://github.com/bitnami-labs/sealed-secrets/releases for the latest release and detailed installation instructions.
Cloud platform specific notes and instructions:
- [GKE](docs/GKE.md)
### Installation in Restricted Environments (No RBAC)
In environments where you lack permissions to create cluster-wide RBAC resources (like `ClusterRoles`), you can use the **`controller-norbac.yaml`** manifest available on the Releases page.
This version is a minimal deployment that includes only the **Deployment**, **Service**, and **CustomResourceDefinition**. It intentionally omits `ServiceAccount`, `ClusterRole`, and `ClusterRoleBinding`.
**Requirements:**
1. A cluster administrator must have already installed the SealedSecret CRDs.
2. You must have an allocated Service Account to run the deployment
### Controller
Once you deploy the manifest it will create the `SealedSecret` resource
and install the controller into `kube-system` namespace, create a service
account and necessary RBAC roles.
After a few moments, the controller will start, generate a key pair,
and be ready for operation. If it does not, check the controller logs.
#### Kustomize
The official controller manifest installation mechanism is just a YAML file.
In some cases you might need to apply your own customizations, like set a custom namespace or set some env variables.
`kubectl` has native support for that, see [kustomize](https://kustomize.io/).
#### Helm Chart
The Sealed Secrets helm chart is now officially supported and hosted in this GitHub repo.
```bash
helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
```
> NOTE: The versioning scheme of the helm chart differs from the versioning scheme of the sealed secrets project itself.
Originally the helm chart was maintained by the community and the first version adopted a major version of 1 while the
sealed secrets project itself is still at major 0.
This is ok because the version of the helm chart itself is not meant to be necessarily the version of the app itself.
However this is confusing, so our current versioning rule is:
1. The `SealedSecret` controller version scheme: 0.X.Y
2. The helm chart version scheme: 1.X.Y-rZ
There can be thus multiple revisions of the helm chart, with fixes that apply only to the helm chart without
affecting the static YAML manifests or the controller image itself.
> NOTE: The helm chart by default installs the controller with the name `sealed-secrets`, while the `kubeseal` command line interface (CLI) tries to access the controller with the name `sealed-secrets-controller`. You can explicitly pass `--controller-name` to the CLI:
```bash
kubeseal --controller-name sealed-secrets <args>
```
Alternatively, you can set `fullnameOverride` when installing the chart to override the name. Note also that `kubeseal` assumes that the controller is installed within the `kube-system` namespace by default. So if you want to use the `kubeseal` CLI without having to pass the expected controller name and namespace you should install the Helm Chart like this:
```bash
helm install sealed-secrets -n kube-system --set-string fullnameOverride=sealed-secrets-controller sealed-secrets/sealed-secrets
```
##### Helm Chart on a restricted environment
In some companies you might be given access only to a single namespace, not a full cluster.
One of the most restrictive environments you can encounter is:
- A `namespace` was allocated to you with some `service account`.
- You do not have access to the rest of the cluster, not even cluster CRDs.
- You may not even be able to create further service accounts or roles in your namespace.
- You are required to include resource limits in all your deployments.
Even with these restrictions you can still install the sealed secrets Helm Chart, there is only one pre-requisite:
- *The cluster must already have the sealed secrets CRDs installed*.
Once your admins installed the CRDs, if they were not there already, you can install the chart by preparing a YAML config file such as this:
```shell
serviceAccount:
create: false
name: {allocated-service-account}
rbac:
create: false
clusterRole: false
resources:
limits:
cpu: 150m
memory: 256Mi
```
Note that:
- No service accounts are created, instead the one allocated to you will be used.
- `{allocated-service-account}` is the name of the `service account` you were allocated on the cluster.
- No RBAC roles are created neither in the namespace nor the cluster.
- Resource limits must be specified.
- The limits are samples that should work, but you might want to review them in your particular setup.
Once that file is ready, if you named it `config.yaml` you now can install the sealed secrets Helm Chart like this:
```shell
helm install sealed-secrets -n {allocated-namespace} sealed-secrets/sealed-secrets --skip-crds -f config.yaml
```
Where `{allocated-namespace}` is the name of the `namespace` you were allocated in the cluster.
### Kubeseal
#### Homebrew
The `kubeseal` client is also available on [homebrew](https://formulae.brew.sh/formula/kubeseal):
```bash
brew install kubeseal
```
#### MacPorts
The `kubeseal` client is also available on [MacPorts](https://ports.macports.org/port/kubeseal/summary):
```bash
port install kubeseal
```
#### Nixpkgs
The `kubeseal` client is also available on [Nixpkgs](https://search.nixos.org/packages?channel=unstable&show=kubeseal&from=0&size=50&sort=relevance&type=packages&query=kubeseal): (**DISCLAIMER**: Not maintained by bitnami-labs)
```bash
nix-env -iA nixpkgs.kubeseal
```
#### Linux
The `kubeseal` client can be installed on Linux, using the below commands:
```bash
KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0'
curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz"
tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
```
If you have `curl` and `jq` installed on your machine, you can get the version dynamically this way. This can be useful for environments used in automation and such.
```
# Fetch the latest sealed-secrets version using GitHub API
KUBESEAL_VERSION=$(curl -s https://api.github.com/repos/bitnami-labs/sealed-secrets/tags | jq -r '.[0].name' | cut -c 2-)
# Check if the version was fetched successfully
if [ -z "$KUBESEAL_VERSION" ]; then
echo "Failed to fetch the latest KUBESEAL_VERSION"
exit 1
fi
curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION}/kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz"
tar -xvzf kubeseal-${KUBESEAL_VERSION}-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal
```
where `KUBESEAL_VERSION` is the [version tag](https://github.com/bitnami-labs/sealed-secrets/tags) of the kubeseal release you want to use. For example: `v0.18.0`.
#### Installation from source
If you just want the latest client tool, it can be installed into
`$GOPATH/bin` with:
```bash
go install github.com/bitnami-labs/sealed-secrets/cmd/kubeseal@main
```
You can specify a release tag or a commit SHA instead of `main`.
The `go install` command will place the `kubeseal` binary at `$GOPATH/bin`:
```bash
$(go env GOPATH)/bin/kubeseal
```
## Upgrade
Don't forget to check the [release notes](RELEASE-NOTES.md) for guidance about
possible breaking changes when you upgrade the client tool
and/or the controller.
### Supported Versions
Currently, only the latest version of Sealed Secrets is supported for production environments.
### Compatibility with Kubernetes versions
The Sealed Secrets controller ensures compatibility with different versions of Kubernetes by relying on a stable Kubernetes API. Typically, Kubernetes versions above 1.16 are considered compatible. However, we officially support the [currently recommended Kubernetes versions](https://kubernetes.io/releases/). Additionally, versions above 1.24 undergo thorough verification through our CI process with every release.
## Usage
```bash
# Create a json/yaml-encoded Secret somehow:
# (note use of `--dry-run` - this is just a local file!)
echo -n bar | kubectl create secret generic mysecret --dry-run=client --from-file=foo=/dev/stdin -o json >mysecret.json
# This is the important bit:
kubeseal -f mysecret.json -w mysealedsecret.json
# At this point mysealedsecret.json is safe to upload to Github,
# post on Twitter, etc.
# Eventually:
kubectl create -f mysealedsecret.json
# Profit!
kubectl get secret mysecret
```
Note the `SealedSecret` and `Secret` must have **the same namespace and
name**. This is a feature to prevent other users on the same cluster
from re-using your sealed secrets. See the [Scopes](#scopes) section for more info.
`kubeseal` reads the namespace from the input secret, accepts an explicit `--namespace` argument, and uses
the `kubectl` default namespace (in that order). Any labels,
annotations, etc on the original `Secret` are preserved, but not
automatically reflected in the `SealedSecret`.
By design, this scheme *does not authenticate the user*. In other
words, *anyone* can create a `SealedSecret` containing any `Secret`
they like (provided the namespace/name matches). It is up to your
existing config management workflow, cluster RBAC rules, etc to ensure
that only the intended `SealedSecret` is uploaded to the cluster. The
only change from existing Kubernetes is that the *contents* of the
`Secret` are now hidden while outside the cluster.
### Managing existing secrets
If you want the Sealed Secrets controller to manage an existing `Secret`, you can annotate your `Secret` with the `sealedsecrets.bitnami.com/managed: "true"` annotation. The existing `Secret` will be overwritten when unsealing a `SealedSecret` with the same name and namespace, and the `SealedSecret` will take ownership of the `Secret` (so that when the `SealedSecret` is deleted the `Secret` will also be deleted).
### Patching existing secrets
> New in v0.23.0
There are some use cases in which you don't want to replace the whole `Secret` but just add or modify some keys from the existing `Secret`. For this, you can annotate your `Secret` with `sealedsecrets.bitnami.com/patch: "true"`. Using this annotation will make sure that secret keys, labels and annotations in the `Secret` that are not present in the `SealedSecret` won't be deleted, and those present in the `SealedSecret` will be added to the `Secret` (secret keys, labels and annotations that exist both in the `Secret` and the `SealedSecret` will be modified by the `SealedSecret`).
This annotation does not make the `SealedSecret` take ownership of the `Secret`. You can add both the `patch` and `managed` annotations to obtain the patching behavior while also taking ownership of the `Secret`.
### Seal secret which can skip set owner references
If you want `SealedSecret` and the `Secret` to be independent, which mean when you delete the `SealedSecret` the `Secret` won't disappear with it, then you have to annotate that Secret with the annotation `sealedsecrets.bitnami.com/skip-set-owner-references: "true"` ahead of applying the Usage steps. You still may also add `sealedsecrets.bitnami.com/managed: "true"` to your `Secret` so that your secret will be updated when `SealedSecret` is updated.
### Update existing secrets
If you want to add or update existing sealed secrets without having the cleartext for the other items,
you can just copy&paste the new encrypted data items and merge it into an existing sealed secret.
You must take care of sealing the updated items with a compatible name and namespace (see note about scopes above).
You can use the `--merge-into` command to update an existing sealed secrets if you don't want to copy&paste:
```bash
echo -n bar | kubectl create secret generic mysecret --dry-run=client --from-file=foo=/dev/stdin -o json \
| kubeseal > mysealedsecret.json
echo -n baz | kubectl create secret generic mysecret --dry-run=client --from-file=bar=/dev/stdin -o json \
| kubeseal --merge-into mysealedsecret.json
```
### Raw mode (experimental)
Creating temporary Secret with the `kubectl` command, only to throw it away once piped to `kubeseal` can
be a quite unfriendly user experience. We're working on an overhaul of the CLI experience. In the meantime,
we offer an alternative mode where kubeseal only cares about encrypting a value to stdout, and it's your responsibility to put it inside a `SealedSecret` resource (not unlike any of the other k8s resources).
It can also be useful as a building block for editor/IDE integrations.
The downside is that you have to be careful to be consistent with the sealing scope, the namespace and the name.
See [Scopes](#scopes)
`strict` scope (default):
```console
$ echo -n foo | kubeseal --raw --namespace bar --name mysecret
AgBChHUWLMx...
```
`namespace-wide` scope:
```console
$ echo -n foo | kubeseal --raw --namespace bar --scope namespace-wide
AgAbbFNkM54...
```
Include the `sealedsecrets.bitnami.com/namespace-wide` annotation in the `SealedSecret`
```yaml
metadata:
annotations:
sealedsecrets.bitnami.com/namespace-wide: "true"
```
`cluster-wide` scope:
```console
$ echo -n foo | kubeseal --raw --scope cluster-wide
AgAjLKpIYV+...
```
Include the `sealedsecrets.bitnami.com/cluster-wide` annotation in the `SealedSecret`
```yaml
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
```
### Validate a Sealed Secret
If you want to validate an existing sealed secret, `kubeseal` has the flag `--validate` to help you.
Giving a file named `sealed-secrets.yaml` containing the following sealed secret:
```yaml
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: mysecret
namespace: mynamespace
spec:
encryptedData:
foo: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq.....
```
You can validate if the sealed secret was properly created or not:
```console
$ cat sealed-secrets.yaml | kubeseal --validate
```
In case of an invalid sealed secret, `kubeseal` will show:
```console
$ cat sealed-secrets.yaml | kubeseal --validate
error: unable to decrypt sealed secret
```
## Secret Rotation
You should always rotate your secrets. But since your secrets are encrypted with another secret,
you need to understand how these two layers relate to take the right decisions.
TL;DR:
> If a *sealing* private key is compromised, you need to follow the instructions below in "Early key renewal"
> section before rotating any of your actual secret values.
>
> SealedSecret key renewal and re-encryption features are **not a substitute** for periodical rotation of your actual secret values.
### Sealing key renewal
Sealing keys are automatically renewed every 30 days. Which means a new sealing key is created and appended to the set of active sealing keys the controller can use to unseal `SealedSecret` resources.
The most recently created sealing key is the one used to seal new secrets when you use `kubeseal` and it's the one whose certificate is downloaded when you use `kubeseal --fetch-cert`.
The renewal time of 30 days is a reasonable default, but it can be tweaked as needed
with the `--key-renew-period=<value>` flag for the command in the pod template of the `SealedSecret` controller. The `value` field can be given as golang
duration flag (eg: `720h30m`). Assuming that you've installed Sealed Secrets into the `kube-system` namespace, use the following command to edit the Deployment controller, and add the `--key-renew-period` parameter. Once you close your text editor, and the Deployment controller has been modified, a new Pod will be automatically created to replace the old Pod.
```
kubectl edit deployment/sealed-secrets-controller --namespace=kube-system
```
A value of `0` will deactivate automatic key renewal. Of course, you may have a valid use case for deactivating automatic sealing key renewal but experience has shown that new users often tend to jump to conclusions that they want control over key renewal, before fully understanding how sealed secrets work. Read more about this in the [common misconceptions](#common-misconceptions-about-key-renewal) section below.
> Unfortunately, you cannot use e.g. "d" as a unit for days because that's not supported by the Go stdlib. Instead of hitting your face with a palm, take this as an opportunity to meditate on the [falsehoods programmers believe about time](https://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time).
A common misunderstanding is that key renewal is often thought of as a form of key rotation, where the old key is not only obsolete but actually bad and that you thus want to get rid of it.
It doesn't help that this feature has been historically called "key rotation", which can add to the confusion.
Sealed secrets are not automatically rotated and old keys are not deleted
when new keys are generated. Old `SealedSecret` resources can be still decrypted (that's because old sealing keys are not deleted).
### Key registry init priority order
When the controller starts, it will initialize the key registry. The most recent key is used to seal secrets. By default, this certificate is chosen based on the NotBefore attribute of the certificate. If you want to change the priority order of the keys in the registry, you can use the `--key-order-priority` flag.
The `--key-order-priority` flag accepts the following values:
- `CertNotBefore`: (default) The key registry will be ordered based on the NotBefore attribute of the key certificate.
- `SecretCreationTimestamp`: The key registry will be ordered based on the creation timestamp of the secret.
This flag influences the public key used to encrypt secrets and the certificate retrieved by `kubeseal --fetch-cert`.
### User secret rotation
The *sealing key* renewal and SealedSecret rotation are **not a substitute** for rotating your actual secrets.
A core value proposition of this tool is:
> Encrypt your Secret into a SealedSecret, which *is* safe to store - even inside a public repository.
If you store anything in a version control storage, and in a public one in particular, you must assume
you cannot ever delete that information.
*If* a sealing key somehow leaks out of the cluster you must consider all your `SealedSecret` resources
encrypted with that key as compromised. No amount of sealing key rotation in the cluster or even re-encryption of existing SealedSecrets files can change that.
The best practice is to periodically rotate all your actual secrets (e.g. change the password) **and** craft new
`SealedSecret` resources with those new secrets.
But if the `SealedSecret` controller was not renewing the *sealing key* that rotation would be moot,
since the attacker could just decrypt the new secrets as well. Thus, you need to do both: periodically renew the sealing key and rotate your actual secrets!
### Early key renewal
If you know or suspect a *sealing key* has been compromised you should renew the key ASAP before you
start sealing your new rotated secrets, otherwise you'll be giving attackers access to your new secrets as well.
A key can be generated early by passing the current timestamp to the controller into a flag called `--key-cutoff-time` or an env var called `SEALED_SECRETS_KEY_CUTOFF_TIME`. The expected format is RFC1123, you can generate it with the `date -R` unix command.
### Common misconceptions about key renewal
Sealed secrets sealing keys are not access control keys (e.g. a password). They are more like the GPG key you might use to read encrypted mail sent to you. Let's continue with the email analogy for a bit:
Imagine you have reasons to believe your private GPG key might have been compromised. You'd have more to lose than to gain if the first thing you do is just delete your private key. All the previous emails sent with that key are no longer accessible to you (unless you have a decrypted copy of those emails), nor are new emails sent by your friends whom you have not yet managed to tell to use the new key.
Sure, the content of those encrypted emails is not secure, as an attacker might now be able to decrypt them, but what's done is done. Your sudden loss of the ability to read those emails surely doesn't undo the damage. If anything, it's worse because you no longer know for sure what secret the attacker got to know. What you really want to do is to make sure that your friend stops using your old key and that from now on all further communication is encrypted with a new key pair (i.e. your friend must know about that new key).
The same logic applies to SealedSecrets. The ultimate goal is to secure your actual "user" secrets. The "sealing" secrets are just a mechanism, an "envelope". If a secret is leaked there is no going back, what's done is done.
You first need to ensure that new secrets don't get encrypted with that old compromised key (in the email analogy above that's: create a new key pair and give all your friends your new public key).
The second logical step is to neutralize the damage, which depends on the nature of the secret. A simple example is a database password: if you accidentally leak your database password, the thing you're supposed to do is simply to change your database password (on the database; and revoke the old one!) *and* update the `SealedSecret` resource with the new password (i.e. running `kubeseal` again).
Both steps are described in the previous sections, albeit in a less verbose way. There is no shame in reading them again, now that you have a more in-depth grasp of the underlying rationale.
### Manual key management (advanced)
The `SealedSecret` controller and the associated workflow are designed to keep old sealing keys around and periodically add new ones. You should not delete old keys unless you know what you're doing.
That said, if you want you can manually manage (create, move, delete) *sealing keys*. They are just normal k8s secrets living in the same namespace where the `SealedSecret` controller lives (usually `kube-system`, but it's configurable).
There are advanced use cases that you can address by creative management of the sealing keys.
For example, you can share the same sealing key among a few clusters so that you can apply exactly the same sealed secret in multiple clusters.
Since sealing keys are just normal k8s secrets you can even use sealed secrets themselves and use a GitOps workflow to manage your sealing keys (useful when you want to share the same key among different clusters)!
Labeling a *sealing key* secret with anything other than `active` effectively deletes
the key from the `SealedSecret` controller, but it is still available in k8s for
manual encryption/decryption if need be.
**NOTE** `SealedSecret` controller currently does not automatically pick up manually created, deleted or relabeled sealing keys. An admin must restart the controller before the effect will apply.
### Re-encryption (advanced)
Before you can get rid of some old sealing keys you need to re-encrypt your SealedSecrets with the latest private key.
```bash
kubeseal --re-encrypt <my_sealed_secret.json >tmp.json \
&& mv tmp.json my_sealed_secret.json
```
The invocation above will produce a new sealed secret file freshly encrypted with
the latest key, without making the secrets leave the cluster to the client. You can then save that file
in your version control system (`kubeseal --re-encrypt` doesn't update the in-cluster object).
Currently, old keys are not garbage collected automatically.
It's a good idea to periodically re-encrypt your SealedSecrets. But as mentioned above, don't lull yourself in a false sense of security: you must assume the old version of the `SealedSecret` resource (the one encrypted with a key you think of as dead) is still potentially around and accessible to attackers. I.e. re-encryption is not a substitute for periodically rotating your actual secrets.
## Details (advanced)
This controller adds a new `SealedSecret` custom resource. The
interesting part of a `SealedSecret` is a base64-encoded
asymmetrically encrypted `Secret`.
The controller maintains a set of private/public key pairs as kubernetes
secrets. Keys are labeled with `sealedsecrets.bitnami.com/sealed-secrets-key`
and identified in the label as either `active` or `compromised`. On startup,
The sealed secrets controller will...
1. Search for these keys and add them to its local store if they are
labeled as active.
2. Create a new key
3. Start the key rotation cycle
### Crypto
More details about crypto can be found [here](docs/developer/crypto.md).
## Developing
Developing guidelines can be found [in the Developer Guide](docs/developer/README.md).
## FAQ
### Can I encrypt multiple secrets at once, in one YAML / JSON file?
Yes, you can! Drop as many secrets as you like in one file. Make sure to separate them via `---` for YAML and as extra, single objects in JSON.
### Will you still be able to decrypt if you no longer have access to your cluster?
No, the private keys are only stored in the Secret managed by the controller (unless you have some other backup of your k8s objects). There are no backdoors - without that private key used to encrypt a given SealedSecrets, you can't decrypt it. If you can't get to the Secrets with the encryption keys, and you also can't get to the decrypted versions of your Secrets live in the cluster, then you will need to regenerate new passwords for everything, seal them again with a new sealing key, etc.
### How can I do a backup of my SealedSecrets?
If you do want to make a backup of the encryption private keys, it's easy to do from an account with suitable access:
```bash
kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >main.key
echo "---" >> main.key
kubectl get secret -n kube-system sealed-secrets-key -o yaml >>main.key
```
> NOTE: You need the second statement only if you ever installed sealed-secrets older than version 0.9.x on your cluster.
> NOTE: This file will contain the controller's public + private keys and should be kept omg-safe!
> NOTE: After sealing key renewal you should recreate your backup. Otherwise, your backup won't be able to decrypt new sealed secrets.
To restore from a backup after some disaster, just put that secrets back before starting the controller - or if the controller was already started, replace the newly-created secrets and restart the controller:
* For Helm deployment:
```bash
kubectl apply -f main.key
kubectl delete pod -n kube-system -l app.kubernetes.io/name=sealed-secrets
```
* For deployment via `controller.yaml` manifest
```bash
kubectl apply -f main.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller
```
### Can I decrypt my secrets offline with a backup key?
While treating sealed-secrets as long term storage system for secrets is not the recommended use case, some people
do have a legitimate requirement for being able to recover secrets when the k8s cluster is down and restoring a backup into a new `SealedSecret` controller deployment is not practical.
If you have backed up one or more of your private keys (see previous question), you can use the `kubeseal --recovery-unseal --recovery-private-key file1.key,file2.key,...` command to decrypt a sealed secrets file.
### What flags are available for kubeseal?
You can check the flags available using `kubeseal --help`.
### How do I update parts of JSON/YAML/TOML/.. file encrypted with sealed secrets?
A kubernetes `Secret` resource contains multiple items, basically a flat map of key/value pairs.
SealedSecrets operate at that level, and does not care what you put in the values. In other words
it cannot make sense of any structured configuration file you might have put in a secret and thus
cannot help you update individual fields in it.
Since this is a common problem, especially when dealing with legacy applications, we do offer an [example](docs/examples/config-template) of a possible workaround.
### Can I bring my own (pre-generated) certificates?
Yes, you can provide the controller with your own certificates, and it will consume them.
Please check [here](docs/bring-your-own-certificates.md) for a workaround.
### How to use kubeseal if the controller is not running within the `kube-system` namespace?
If you installed the controller in a different namespace than the default `kube-system`, you need to provide this namespace
to the `kubeseal` commandline tool. There are two options:
1. You can specify the namespace via the command line option `--controller-namespace <namespace>`:
```bash
kubeseal --controller-namespace sealed-secrets <mysecret.json >mysealedsecret.json
```
2. Via the environment variable `SEALED_SECRETS_CONTROLLER_NAMESPACE`:
```bash
export SEALED_SECRETS_CONTROLLER_NAMESPACE=sealed-secrets
kubeseal <mysecret.json >mysealedsecret.json
```
### How to verify the images?
Our images are being signed using [cosign](https://github.com/sigstore/cosign). The signatures have been saved in our [GitHub Container Registry](https://ghcr.io/bitnami-labs/sealed-secrets-controller/signs).
> Images up to and including v0.20.2 were signed using Cosign v1. Newer images are signed with Cosign v2.
It is pretty simple to verify the images:
```bash
# export the COSIGN_VARIABLE setting up the GitHub container registry signs path
export COSIGN_REPOSITORY=ghcr.io/bitnami-labs/sealed-secrets-controller/signs
# verify the image uploaded in GHCR
cosign verify --key .github/workflows/cosign.pub ghcr.io/bitnami-labs/sealed-secrets-controller:latest
# verify the image uploaded in Dockerhub
cosign verify --key .github/workflows/cosign.pub docker.io/bitnami/sealed-secrets-controller:latest
```
### How to use one controller for a subset of namespaces
If you want to use one controller for more than one namespace, but not all namespaces, you can provide additional namespaces using the command line flag `--additional-namespaces=<namespace1>,<namespace2>,<...>`. Make sure you provide appropriate roles and rolebindings in the target namespaces, so the controller can manage the secrets in there.
### Can I configure the Controller unseal retries?
The answer is yes, you can configure the number of retries in your controller using the flag `--max-unseal-retries`. This flag allows you to configure the number of maximum retries to unseal your Sealed Secrets.
### How to manage SealedSecrets across the cluster or specific namespaces?
By default, the controller watches for `SealedSecret` resources across **all namespaces** using the `--all-namespaces` flag (which defaults to `true`).
If you need to restrict the controller's scope, you have two options:
- **Watch a subset of namespaces:** Use the `--additional-namespaces=<ns1>,<ns2>` flag to provide a comma-separated list of namespaces for the controller to manage.
- **Watch only the local namespace:** Set `--all-namespaces=false` (or the environment variable `SEALED_SECRETS_ALL_NAMESPACES=false`). This is useful for multi-tenant clusters where you want isolated controllers with independent sealing keys in each namespace.
## Community
- [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets)
Click [here](http://slack.k8s.io) to sign up to the Kubernetes Slack org.
### Related projects
- `kseal` A Kubeseal Companion: [https://github.com/eznix86/kseal](https://github.com/eznix86/kseal)
- `kubeseal-convert`: [https://github.com/EladLeev/kubeseal-convert](https://github.com/EladLeev/kubeseal-convert)
- Visual Studio Code extension: [https://marketplace.visualstudio.com/items?itemName=codecontemplator.kubeseal](https://marketplace.visualstudio.com/items?itemName=codecontemplator.kubeseal)
- WebSeal: generates secrets in the browser: [https://socialgouv.github.io/webseal](https://socialgouv.github.io/webseal)
- HybridEncrypt TypeScript implementation: [https://github.com/SocialGouv/aes-gcm-rsa-oaep](https://github.com/SocialGouv/aes-gcm-rsa-oaep)
- [DEPRACATED] Sealed Secrets Operator: [https://github.com/disposab1e/sealed-secrets-operator-helm](https://github.com/disposab1e/sealed-secrets-operator-helm)
================================================
FILE: RELEASE-NOTES.md
================================================
# Release Notes
Latest release:
[](https://github.com/bitnami-labs/sealed-secrets/releases/latest)
## v0.36.1
- Doc/issue 501 all namespaces ([#1900](https://github.com/bitnami-labs/sealed-secrets/pull/1900))
- Bump go 1.26.1 ([#1914](https://github.com/bitnami-labs/sealed-secrets/pull/1914))
- Update actions/setup-go to v6.2.0 ([#1906](https://github.com/bitnami-labs/sealed-secrets/pull/1906))
- fix: explicitly specify TCP protocol for helm SSA compatibility (#692) ([#1901](https://github.com/bitnami-labs/sealed-secrets/pull/1901))
- docs: document GKE Warden and RBAC restrictions ([#1892](https://github.com/bitnami-labs/sealed-secrets/pull/1892))
- Bump k8s.io/klog/v2 from 2.130.1 to 2.140.0 ([#1913](https://github.com/bitnami-labs/sealed-secrets/pull/1913))
- chore: remove note about deprecation of helm chart. ([#1902](https://github.com/bitnami-labs/sealed-secrets/pull/1902))
- Bump k8s.io/code-generator from 0.35.1 to 0.35.2 ([#1909](https://github.com/bitnami-labs/sealed-secrets/pull/1909))
- Bump k8s.io/client-go from 0.35.1 to 0.35.2 ([#1908](https://github.com/bitnami-labs/sealed-secrets/pull/1908))
- Bump distroless/static from `d90359c` to `28efbe9` in /docker ([#1912](https://github.com/bitnami-labs/sealed-secrets/pull/1912))
- Fix oci push action ([#1899](https://github.com/bitnami-labs/sealed-secrets/pull/1899))
## v0.36.0
- [Security] Preserve scope during Sealed Secret rotation ([#1886](https://github.com/bitnami-labs/sealed-secrets/pull/1886))
- [Security] Throw an error in case of inconsistencies in the Sealed Secrets ([#1885](https://github.com/bitnami-labs/sealed-secrets/pull/1885))
- Bump distroless/static from `972618c` to `d90359c` in /docker ([#1884](https://github.com/bitnami-labs/sealed-secrets/pull/1884))
- Set up OCI GH to release helm chart ([#1883](https://github.com/bitnami-labs/sealed-secrets/pull/1883))
## v0.35.0
- my namespace as key namespace ([#1867](https://github.com/bitnami-labs/sealed-secrets/pull/1867))
- Bump go 1.25.7 ([#1880](https://github.com/bitnami-labs/sealed-secrets/pull/1880))
- Update client-go and api 0.35.0 ([#1868](https://github.com/bitnami-labs/sealed-secrets/pull/1868))
- Bump golang.org/x/crypto from 0.46.0 to 0.47.0 ([#1863](https://github.com/bitnami-labs/sealed-secrets/pull/1863))
- Bump github.com/onsi/gomega from 1.38.3 to 1.39.0 ([#1865](https://github.com/bitnami-labs/sealed-secrets/pull/1865))
- Bump github.com/onsi/ginkgo/v2 from 2.27.3 to 2.27.5 ([#1864](https://github.com/bitnami-labs/sealed-secrets/pull/1864))
- Bump distroless/static from `4b2a093` to `cd64bec` in /docker ([#1866](https://github.com/bitnami-labs/sealed-secrets/pull/1866))
- Bump k8s.io/code-generator from 0.34.3 to 0.35.0 ([#1858](https://github.com/bitnami-labs/sealed-secrets/pull/1858))
## v0.34.0
- Add kseal to README ([#1852)](https://github.com/bitnami-labs/sealed-secrets/pull/1852))
- Bump golang version to the latest available 1.24 ([#1854](https://github.com/bitnami-labs/sealed-secrets/pull/1854))
- Bump k8s.io/code-generator from 0.34.2 to 0.34.3 ([#1850](https://github.com/bitnami-labs/sealed-secrets/pull/1850))
- Bump k8s.io/client-go from 0.34.2 to 0.34.3 ([#1848](https://github.com/bitnami-labs/sealed-secrets/pull/1848))
- Bump github.com/onsi/ginkgo/v2 from 2.27.2 to 2.27.3 ([#1843](https://github.com/bitnami-labs/sealed-secrets/pull/1843))
- Bump distroless/static from `87bce11` to `4b2a093` in /docker ([#1846](https://github.com/bitnami-labs/sealed-secrets/pull/1846))
- Bump github.com/onsi/gomega from 1.38.2 to 1.38.3 ([#1844](https://github.com/bitnami-labs/sealed-secrets/pull/1844))
- Bump golang.org/x/crypto from 0.45.0 to 0.46.0 ([#1845](https://github.com/bitnami-labs/sealed-secrets/pull/1845))
- Make controllers kubeclient QPS & Burst configurable. ([#1834](https://github.com/bitnami-labs/sealed-secrets/pull/1834))
- use default method to watch for key secrets ([#1831](https://github.com/bitnami-labs/sealed-secrets/pull/1831))
- Bump golang.org/x/crypto from 0.44.0 to 0.45.0 in the go_modules group across 1 directory ([#1840](https://github.com/bitnami-labs/sealed-secrets/pull/1840))
- Bump k8s.io/code-generator from 0.34.1 to 0.34.2 ([#1839](https://github.com/bitnami-labs/sealed-secrets/pull/1839))
- Bump golang.org/x/crypto from 0.43.0 to 0.44.0 ([#1835](https://github.com/bitnami-labs/sealed-secrets/pull/1835))
- Bump k8s.io/client-go from 0.34.1 to 0.34.2 ([#1837](https://github.com/bitnami-labs/sealed-secrets/pull/1837))
## v0.33.1
- Release done to fix missing helm chart code.
## v0.33.0
- Bump Go to 1.25.4 ([#1823](https://github.com/bitnami-labs/sealed-secrets/pull/1823))
- Bump github.com/onsi/ginkgo/v2 from 2.26.0 to 2.27.2 ([#1820](https://github.com/bitnami-labs/sealed-secrets/pull/1820))
- Bump golang.org/x/crypto from 0.42.0 to 0.43.0 ([#1818](https://github.com/bitnami-labs/sealed-secrets/pull/1818))
- Bump github.com/onsi/ginkgo/v2 from 2.25.3 to 2.26.0 ([#1817](https://github.com/bitnami-labs/sealed-secrets/pull/1817))
## v0.32.2
- Fix controller yaml ([#1811](https://github.com/bitnami-labs/sealed-secrets/pull/1811))
- Bump k8s.io/code-generator from 0.33.4 to 0.34.1 ([#1809](https://github.com/bitnami-labs/sealed-secrets/pull/1809))
## v0.32.1
- Bump distroless version ([#1804](https://github.com/bitnami-labs/sealed-secrets/pull/1804))
## v0.32.0
- Fix regression mismatching namespace ([#1798](https://github.com/bitnami-labs/sealed-secrets/pull/1798))
- Bump k8s.io/apimachinery from 0.33.4 to 0.34.0 ([#1795](https://github.com/bitnami-labs/sealed-secrets/pull/1795))
- Bump github.com/spf13/pflag from 1.0.7 to 1.0.10 ([#1794](https://github.com/bitnami-labs/sealed-secrets/pull/1794))
- Bump github.com/onsi/ginkgo/v2 from 2.25.1 to 2.25.3 ([#1793](https://github.com/bitnami-labs/sealed-secrets/pull/1793))
- Bump golang.org/x/crypto from 0.41.0 to 0.42.0 ([#1797](https://github.com/bitnami-labs/sealed-secrets/pull/1797))
- Bump github.com/prometheus/client_golang from 1.23.0 to 1.23.2 ([#1796](https://github.com/bitnami-labs/sealed-secrets/pull/1796))
- Bump github.com/onsi/gomega from 1.38.0 to 1.38.1 ([#1787](https://github.com/bitnami-labs/sealed-secrets/pull/1787))
- Bump k8s.io/client-go from 0.33.3 to 0.33.4 ([#1774](https://github.com/bitnami-labs/sealed-secrets/pull/1774))
- Bump k8s.io/api from 0.33.3 to 0.33.4 ([#1775](https://github.com/bitnami-labs/sealed-secrets/pull/1775))
- Bump github.com/onsi/ginkgo/v2 from 2.23.4 to 2.24.0 ([#1776](https://github.com/bitnami-labs/sealed-secrets/pull/1776))
- Bump k8s.io/apimachinery from 0.33.3 to 0.33.4 ([#1777](https://github.com/bitnami-labs/sealed-secrets/pull/1788))
- Bump k8s.io/code-generator from 0.33.3 to 0.33.4 ([#1778](https://github.com/bitnami-labs/sealed-secrets/pull/1778))
## v0.31.0
- Helm: add watch for secrets ([#1758](https://github.com/bitnami-labs/sealed-secrets/pull/1758))
- Simplify VIB helm chart validation ([#1771](https://github.com/bitnami-labs/sealed-secrets/pull/1771))
- Fix: metrics cleanup for deleted SealedSecrets ([#1764](https://github.com/bitnami-labs/sealed-secrets/pull/1764))
- Fix keyrenewperiod template chart ([#1756](https://github.com/bitnami-labs/sealed-secrets/pull/1756))
- Fix namespace validation to prevent mismatch errors ([#1754](https://github.com/bitnami-labs/sealed-secrets/pull/1754))
- Bump VIB action version and updates the service URL ([#1770](https://github.com/bitnami-labs/sealed-secrets/pull/1770))
- Bump golang version to latest available one for 1.24 ([#1769](https://github.com/bitnami-labs/sealed-secrets/pull/1769))
- Bump golang.org/x/crypto from 0.40.0 to 0.41.0 ([#1768](https://github.com/bitnami-labs/sealed-secrets/pull/1768))
- Bump github.com/prometheus/client_golang from 1.22.0 to 1.23.0 ([#1767](https://github.com/bitnami-labs/sealed-secrets/pull/1767))
- Bump k8s.io/api from 0.33.2 to 0.33.3 ([#1766](https://github.com/bitnami-labs/sealed-secrets/pull/1766))
- Bump github.com/spf13/pflag from 1.0.6 to 1.0.7 ([#1765](https://github.com/bitnami-labs/sealed-secrets/pull/1765))
- Bump k8s.io/client-go from 0.33.2 to 0.33.3 ([#1761](https://github.com/bitnami-labs/sealed-secrets/pull/1761))
- Bump github.com/onsi/gomega from 1.37.0 to 1.38.0 ([#1760](https://github.com/bitnami-labs/sealed-secrets/pull/1760))
- Bump k8s.io/code-generator from 0.33.2 to 0.33.3 ([#1759](https://github.com/bitnami-labs/sealed-secrets/pull/1759))
- Bump golang.org/x/crypto from 0.39.0 to 0.40.0 ([#1755](https://github.com/bitnami-labs/sealed-secrets/pull/1755))
- Bump k8s.io/code-generator from 0.33.1 to 0.33.2 ([#1752](https://github.com/bitnami-labs/sealed-secrets/pull/1752))
## v0.30.0
- Bump golang to 1.24.4 ([#1743](https://github.com/bitnami-labs/sealed-secrets/pull/1743))
- Fix typo in RBAC namespaced roles documentation ([#1720](https://github.com/bitnami-labs/sealed-secrets/pull/1720))
- Bump to go1.24.1 ([#1713](https://github.com/bitnami-labs/sealed-secrets/pull/1713))
- Fix potential controller sensitive data exposure by sprig template functions ([#1703](https://github.com/bitnami-labs/sealed-secrets/pull/1703))
- Bump golang.org/x/crypto from 0.38.0 to 0.39.0 ([#1742](https://github.com/bitnami-labs/sealed-secrets/pull/1742))
- Bump k8s.io/client-go from 0.33.0 to 0.33.1 ([#1734](https://github.com/bitnami-labs/sealed-secrets/pull/1734))
- Bump k8s.io/api from 0.33.0 to 0.33.1 ([#1733](https://github.com/bitnami-labs/sealed-secrets/pull/1733))
- Bump k8s.io/code-generator from 0.33.0 to 0.33.1 ([#1732](https://github.com/bitnami-labs/sealed-secrets/pull/1732))
- Bump golang.org/x/crypto from 0.37.0 to 0.38.0 ([#1731](https://github.com/bitnami-labs/sealed-secrets/pull/1731))
- Bump k8s.io/client-go from 0.32.3 to 0.33.0 ([#1729](https://github.com/bitnami-labs/sealed-secrets/pull/1729))
- Bump k8s.io/code-generator from 0.32.3 to 0.33.0 ([#1728](https://github.com/bitnami-labs/sealed-secrets/pull/1728))
- Bump k8s.io/api from 0.32.3 to 0.33.0 ([#1730](https://github.com/bitnami-labs/sealed-secrets/pull/1730))
- Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group ([#1725](https://github.com/bitnami-labs/sealed-secrets/pull/1725))
- Bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0 ([#1724](https://github.com/bitnami-labs/sealed-secrets/pull/1724))
- Bump github.com/onsi/gomega from 1.36.3 to 1.37.0 ([#1722](https://github.com/bitnami-labs/sealed-secrets/pull/1722))
- Bump github.com/onsi/ginkgo/v2 from 2.23.3 to 2.23.4 ([#1723](https://github.com/bitnami-labs/sealed-secrets/pull/1723))
- Bump golang.org/x/crypto from 0.36.0 to 0.37.0 ([#1721](https://github.com/bitnami-labs/sealed-secrets/pull/1721))
## v0.29.0
- Fix register a key using secret creationTimestamp instead of certificate validity timestamp ([#1681](https://github.com/bitnami-labs/sealed-secrets/pull/1681))
- Bump to go1.23.7 ([#1714](https://github.com/bitnami-labs/sealed-secrets/pull/1714))
- Update environment k8s version on CI ([#1688](https://github.com/bitnami-labs/sealed-secrets/pull/1688))
- Update go tooling to 1.23.6 ([#1686](https://github.com/bitnami-labs/sealed-secrets/pull/1686))
- Bump github.com/onsi/gomega from 1.36.2 to 1.36.3 ([#1712](https://github.com/bitnami-labs/sealed-secrets/pull/1712))
- Bump github.com/onsi/ginkgo/v2 from 2.23.0 to 2.23.3 ([#1711](https://github.com/bitnami-labs/sealed-secrets/pull/1711))
- Bump k8s.io/code-generator from 0.32.2 to 0.32.3 ([#1708](https://github.com/bitnami-labs/sealed-secrets/pull/1708))
- Bump k8s.io/client-go from 0.32.2 to 0.32.3 ([#1705](https://github.com/bitnami-labs/sealed-secrets/pull/1705))
- Bump golang.org/x/net from 0.35.0 to 0.36.0 in the go_modules group ([#1702](https://github.com/bitnami-labs/sealed-secrets/pull/1702))
- Bump golang.org/x/crypto from 0.35.0 to 0.36.0 ([#1699](https://github.com/bitnami-labs/sealed-secrets/pull/1699))
- Bump github.com/prometheus/client_golang from 1.21.0 to 1.21.1 ([#1699](https://github.com/bitnami-labs/sealed-secrets/pull/1699))
- Bump github.com/onsi/ginkgo/v2 from 2.22.2 to 2.23.0 ([#1701](https://github.com/bitnami-labs/sealed-secrets/pull/1701))
- Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 ([#1695](https://github.com/bitnami-labs/sealed-secrets/pull/1695))
- Bump github.com/google/go-cmp from 0.6.0 to 0.7.0 ([#1696](https://github.com/bitnami-labs/sealed-secrets/pull/1696))
- Bump golang.org/x/crypto from 0.33.0 to 0.35.0 ([#1697](https://github.com/bitnami-labs/sealed-secrets/pull/1697))
- Bump k8s.io/client-go from 0.32.1 to 0.32.2 ([#1691](https://github.com/bitnami-labs/sealed-secrets/pull/1691))
- Bump k8s.io/code-generator from 0.32.1 to 0.32.2 ([#1693](https://github.com/bitnami-labs/sealed-secrets/pull/1693))
- Bump golang.org/x/crypto from 0.32.0 to 0.33.0 ([#1685](https://github.com/bitnami-labs/sealed-secrets/pull/1685))
- Bump github.com/spf13/pflag from 1.0.5 to 1.0.6 ([#1683](https://github.com/bitnami-labs/sealed-secrets/pull/1683))
- Bump k8s.io/client-go from 0.32.0 to 0.32.1 ([#1678](https://github.com/bitnami-labs/sealed-secrets/pull/1678))
- Bump k8s.io/code-generator from 0.32.0 to 0.32.1 ([#1677](https://github.com/bitnami-labs/sealed-secrets/pull/1677))
## v0.28.0
- fix: explicitly set resourceFieldRef.divisor ([#1655](https://github.com/bitnami-labs/sealed-secrets/pull/1655))
- Fix deprecated functions for bumping client-go ([#1667](https://github.com/bitnami-labs/sealed-secrets/pull/1667))
- Bump github.com/onsi/ginkgo/v2 from 2.22.1 to 2.22.2 ([#1670](https://github.com/bitnami-labs/sealed-secrets/pull/1670))
- Bump golang.org/x/crypto from 0.31.0 to 0.32.0 ([#1671](https://github.com/bitnami-labs/sealed-secrets/pull/1671))
- Bump github.com/onsi/gomega from 1.36.1 to 1.36.2 ([#1669](https://github.com/bitnami-labs/sealed-secrets/pull/1669))
- Bump github.com/onsi/ginkgo/v2 from 2.22.0 to 2.22.1 ([#1668](https://github.com/bitnami-labs/sealed-secrets/pull/1668))
- Bump github.com/onsi/gomega from 1.36.0 to 1.36.1 ([#1664](https://github.com/bitnami-labs/sealed-secrets/pull/1664))
- Bump golang.org/x/crypto from 0.30.0 to 0.31.0 ([#1659](https://github.com/bitnami-labs/sealed-secrets/pull/1659))
- Bump golang.org/x/crypto from 0.29.0 to 0.30.0 ([#1657](https://github.com/bitnami-labs/sealed-secrets/pull/1657))
## v0.27.3
- Bump k8s.io/apimachinery from 0.31.2 to 0.31.3 ([#1642](https://github.com/bitnami-labs/sealed-secrets/pull/1642))
- Bump k8s.io/code-generator from 0.31.2 to 0.31.3 ([#1643](https://github.com/bitnami-labs/sealed-secrets/pull/1643))
- Bump github.com/onsi/gomega from 1.35.1 to 1.36.0 ([#1645](https://github.com/bitnami-labs/sealed-secrets/pull/1645))
- re-introduce install instructions with to releases ([#1649](https://github.com/bitnami-labs/sealed-secrets/pull/1649))
- Properly error out when input file doesn't exist ([#1640](https://github.com/bitnami-labs/sealed-secrets/pull/1640))
- Bump github.com/onsi/ginkgo/v2 from 2.21.0 to 2.22.0 ([#1641](https://github.com/bitnami-labs/sealed-secrets/pull/1641))
- Bump golang.org/x/crypto from 0.28.0 to 0.29.0 ([#1635](https://github.com/bitnami-labs/sealed-secrets/pull/1635))
- Configure max retries ([#1633](https://github.com/bitnami-labs/sealed-secrets/pull/1633))
- Label "app.kubernetes.io/instance" in the Prometheus metric ([#1620](https://github.com/bitnami-labs/sealed-secrets/pull/1620))
- Bump github.com/onsi/gomega from 1.34.2 to 1.35.1 ([#1624](https://github.com/bitnami-labs/sealed-secrets/pull/1624))
- Adding keyttl and keycutofftime options to helm chart ([#1610](https://github.com/bitnami-labs/sealed-secrets/pull/1610))
- Bump github.com/onsi/ginkgo/v2 from 2.20.2 to 2.21.0 ([#1623](https://github.com/bitnami-labs/sealed-secrets/pull/1623))
## v0.27.2
- feature: Show error if there's no secret to encode ([#1580](https://github.com/bitnami-labs/sealed-secrets/pull/1580))
- feature: allow container port configuration ([#1606](https://github.com/bitnami-labs/sealed-secrets/pull/1606))
- chore: Update go version to 1.22.8 ([#1621](https://github.com/bitnami-labs/sealed-secrets/pull/1621))
- chore: Update the TCSP settings for helm testing ([#1608](https://github.com/bitnami-labs/sealed-secrets/pull/1608))
- chore: Redirect external site to the GitHub Repository ([#1589](https://github.com/bitnami-labs/sealed-secrets/pull/1589))
- chore: Update dependencies (Several automatic PRs)
## v0.27.1
- chore: Update dependencies ([#1565](https://github.com/bitnami-labs/sealed-secrets/pull/1565))
- chore: Bump golang.org/x/crypto from 0.24.0 to 0.25.0 ([#1561](https://github.com/bitnami-labs/sealed-secrets/pull/1561))
- chore: Bump k8s.io/klog/v2 from 2.130.0 to 2.130.1 ([#1558](https://github.com/bitnami-labs/sealed-secrets/pull/1558))
- chore: Improve release process ([#1559](https://github.com/bitnami-labs/sealed-secrets/pull/1559))
## v0.27.0
- feature: loadbalancerclass ([#1545](https://github.com/bitnami-labs/sealed-secrets/pull/1545))
- Add sprig function library for templating ([#1542](https://github.com/bitnami-labs/sealed-secrets/pull/1542))
- Update install instructions for consistent HTTP request package ([#1546](https://github.com/bitnami-labs/sealed-secrets/pull/1546))
- Bump k8s.io/client-go from 0.30.1 to 0.30.2 ([#1552](https://github.com/bitnami-labs/sealed-secrets/pull/1552))
- Bump k8s.io/klog/v2 from 2.120.1 to 2.130.0 ([#1551](https://github.com/bitnami-labs/sealed-secrets/pull/1551))
- Bump k8s.io/code-generator from 0.30.1 to 0.30.2 ([#1550](https://github.com/bitnami-labs/sealed-secrets/pull/1550))
- Bump golang.org/x/crypto from 0.23.0 to 0.24.0 ([#1544](https://github.com/bitnami-labs/sealed-secrets/pull/1544))
- Bump github.com/onsi/ginkgo/v2 from 2.17.3 to 2.19.0 ([#1540](https://github.com/bitnami-labs/sealed-secrets/pull/1540))
## v0.26.3
### Changelog
- fix: code generation ([#1536](https://github.com/bitnami-labs/sealed-secrets/pull/1536))
- fix: show field name in error message when base64 decoding fails ([#1519](https://github.com/bitnami-labs/sealed-secrets/pull/1519))
- helm: Set `GOMAXPROCS` and `GOMEMLIMIT` environment variables ([#1528](https://github.com/bitnami-labs/sealed-secrets/pull/1528))
- docs: mention limitation of backup with key renewal ([#1533](https://github.com/bitnami-labs/sealed-secrets/pull/1533))
- chore: update dependencies ([#1535](https://github.com/bitnami-labs/sealed-secrets/pull/1535))
- chore: Bump k8s.io/code-generator from 0.30.0 to 0.30.1 ([#1529](https://github.com/bitnami-labs/sealed-secrets/pull/1529))
- chore: Bump k8s.io/client-go from 0.30.0 to 0.30.1 ([#1532](https://github.com/bitnami-labs/sealed-secrets/pull/1532))
- chore: Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 ([#1527](https://github.com/bitnami-labs/sealed-secrets/pull/1527))
- chore: Bump github.com/prometheus/client_golang from 1.19.0 to 1.19.1 ([#1526](https://github.com/bitnami-labs/sealed-secrets/pull/1526))
- chore: Bump k8s.io/code-generator from 0.29.3 to 0.30.0 ([#1513](https://github.com/bitnami-labs/sealed-secrets/pull/1513))
- chore: Update dependencies ([#1524](https://github.com/bitnami-labs/sealed-secrets/pull/1524))
- chore: Bump github.com/onsi/gomega from 1.33.0 to 1.33.1 ([#1522](https://github.com/bitnami-labs/sealed-secrets/pull/1522))
- chore: Bump github.com/onsi/ginkgo/v2 from 2.17.1 to 2.17.2 ([#1520](https://github.com/bitnami-labs/sealed-secrets/pull/1520))
- chore: Bump github.com/onsi/gomega from 1.32.0 to 1.33.0 ([#1512](https://github.com/bitnami-labs/sealed-secrets/pull/1512))
- chore: increase vib timeout ([#1509](https://github.com/bitnami-labs/sealed-secrets/pull/1509))
- chore: fix publish-release workflow ([#1508](https://github.com/bitnami-labs/sealed-secrets/pull/1508))
- chore: Bump golang.org/x/crypto from 0.21.0 to 0.22.0 ([#1505](https://github.com/bitnami-labs/sealed-secrets/pull/1505))
## v0.26.2
### Changelog
- fix: update dependencies and version for CVE-2023-45288 ([#1501](https://github.com/bitnami-labs/sealed-secrets/pull/1501))
- fix(helm): role binding annotations ([#1494](https://github.com/bitnami-labs/sealed-secrets/pull/1494))
- chore: update cosign version ([#1495](https://github.com/bitnami-labs/sealed-secrets/pull/1495))
- chore: Bump github.com/onsi/ginkgo/v2 from 2.16.0 to 2.17.1 ([#1497](https://github.com/bitnami-labs/sealed-secrets/pull/1497))
- chore: Bump k8s.io/client-go from 0.29.2 to 0.29.3 ([#1486](https://github.com/bitnami-labs/sealed-secrets/pull/1486))
- chore: Bump k8s.io/code-generator from 0.29.2 to 0.29.3 ([#1488](https://github.com/bitnami-labs/sealed-secrets/pull/1488))
- chore: Bump github.com/onsi/gomega from 1.31.1 to 1.32.0 ([#1489](https://github.com/bitnami-labs/sealed-secrets/pull/1489))
- chore: Bump k8s.io/apimachinery from 0.29.2 to 0.29.3 ([#1490](https://github.com/bitnami-labs/sealed-secrets/pull/1490))
- chore: Update security contact and other references DL to the new team one ([#1500](https://github.com/bitnami-labs/sealed-secrets/pull/1500))
## v0.26.1
### Changelog
- fix: panic when patching empty secret ([#1474](https://github.com/bitnami-labs/sealed-secrets/pull/1474))
- fix: Modify LastUpdateTime when the Sealed Secrets is being updated ([#1475](https://github.com/bitnami-labs/sealed-secrets/pull/1475))
- fix: Bring back private keys logging ([#1481](https://github.com/bitnami-labs/sealed-secrets/pull/1481))
- fix: missing common annotations in the helm chart ([#1471](https://github.com/bitnami-labs/sealed-secrets/pull/1471))
- fix: Add metrics port to allow ingress traffic in the netpols ([#1473](https://github.com/bitnami-labs/sealed-secrets/pull/1473))
- chore: Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 ([#1480](https://github.com/bitnami-labs/sealed-secrets/pull/1480))
- chore: Bump golang.org/x/crypto from 0.20.0 to 0.21.0 ([#1477](https://github.com/bitnami-labs/sealed-secrets/pull/1477))
- chore: Bump github.com/onsi/ginkgo/v2 from 2.15.0 to 2.16.0 ([#1478](https://github.com/bitnami-labs/sealed-secrets/pull/1478))
- chore: Bump github.com/prometheus/client_golang from 1.18.0 to 1.19.0 ([#1476](https://github.com/bitnami-labs/sealed-secrets/pull/1476))
- chore: Bump golang.org/x/crypto from 0.19.0 to 0.20.0 ([#1472](https://github.com/bitnami-labs/sealed-secrets/pull/1472))
- chore: Bump k8s.io/code-generator from 0.29.1 to 0.29.2 ([#1467](https://github.com/bitnami-labs/sealed-secrets/pull/1467))
## v0.26.0
### Changelog
- feat: Implement structured logging ([#1438](https://github.com/bitnami-labs/sealed-secrets/pull/1438))
- feat: [helm] add rbac.proxier config ([#1451](https://github.com/bitnami-labs/sealed-secrets/pull/1451))
- docs: Add clarity around template Secret fields ([#1456](https://github.com/bitnami-labs/sealed-secrets/pull/1456))
- docs: [helm] adding disable keyrenewperiod comment ([#1455](https://github.com/bitnami-labs/sealed-secrets/pull/1455))
- chore: Update Go version and dependencies ([#1460](https://github.com/bitnami-labs/sealed-secrets/pull/1460))
- chore: Bump golang.org/x/crypto from 0.18.0 to 0.19.0 ([#1458](https://github.com/bitnami-labs/sealed-secrets/pull/1458))
- chore: Bump k8s.io/client-go from 0.29.0 to 0.29.1 ([#1452](https://github.com/bitnami-labs/sealed-secrets/pull/1452))
- chore: Bump k8s.io/code-generator from 0.29.0 to 0.29.1 ([#1441](https://github.com/bitnami-labs/sealed-secrets/pull/1441))
- chore: Bump k8s.io/api from 0.29.0 to 0.29.1 ([#1443](https://github.com/bitnami-labs/sealed-secrets/pull/1443))
- chore: Bump k8s.io/klog/v2 from 2.120.0 to 2.120.1 ([#1439](https://github.com/bitnami-labs/sealed-secrets/pull/1439))
- chore: Bump github.com/onsi/gomega from 1.30.0 to 1.31.1 ([#1440](https://github.com/bitnami-labs/sealed-secrets/pull/1440))
## v0.25.0
### Changelog
- feat: support immutable secrets ([#1395](https://github.com/bitnami-labs/sealed-secrets/pull/1395))
- Update dependencies ([#1411](https://github.com/bitnami-labs/sealed-secrets/pull/1411))
- Support fetching certificate URL via proxy environment variables ([#1419](https://github.com/bitnami-labs/sealed-secrets/pull/1419))
- Bump github.com/onsi/ginkgo/v2 from 2.13.2 to 2.14.0 ([#1432](https://github.com/bitnami-labs/sealed-secrets/pull/1432)
- Bump k8s.io/klog/v2 from 2.110.1 to 2.120.0 ([#1431](https://github.com/bitnami-labs/sealed-secrets/pull/1431))
- Bump golang.org/x/crypto from 0.17.0 to 0.18.0 ([#1425](https://github.com/bitnami-labs/sealed-secrets/pull/1425))
- Bump github.com/prometheus/client_golang from 1.17.0 to 1.18.0 ([#1421](https://github.com/bitnami-labs/sealed-secrets/pull/1421))
- Bump k8s.io/code-generator from 0.28.4 to 0.29.0 ([#1406](https://github.com/bitnami-labs/sealed-secrets/pull/1406))
- Bump golang.org/x/crypto from 0.16.0 to 0.17.0 ([#1405](https://github.com/bitnami-labs/sealed-secrets/pull/1405))
## v0.24.5
### Changelog
- feat: Helm - Add sources ([#1383](https://github.com/bitnami-labs/sealed-secrets/pull/1383))
- Update golang to the latest tooling version ([#1398](https://github.com/bitnami-labs/sealed-secrets/pull/1398))
- Bump github.com/onsi/ginkgo/v2 from 2.13.1 to 2.13.2 ([#1397](https://github.com/bitnami-labs/sealed-secrets/pull/1397))
- Bump golang.org/x/crypto from 0.15.0 to 0.16.0 ([#1394](https://github.com/bitnami-labs/sealed-secrets/pull/1394))
- Bump k8s.io/code-generator from 0.28.3 to 0.28.4 ([#1390](https://github.com/bitnami-labs/sealed-secrets/pull/1390))
- Bump k8s.io/client-go from 0.28.3 to 0.28.4 ([#1389](https://github.com/bitnami-labs/sealed-secrets/pull/1389))
- Bump k8s.io/client-go from 0.28.3 to 0.28.4 ([#1389](https://github.com/bitnami-labs/sealed-secrets/pull/1389))
## v0.24.4
### Changelog
- kubeseal: write help message to stdout ([#1377](https://github.com/bitnami-labs/sealed-secrets/pull/1377))
- fix: Set up LastTransitionTime in case that it is empty ([#1370](https://github.com/bitnami-labs/sealed-secrets/pull/1370))
- Bump github.com/onsi/gomega from 1.29.0 to 1.30.0 ([#1376](https://github.com/bitnami-labs/sealed-secrets/pull/1376))
- Bump golang.org/x/crypto from 0.14.0 to 0.15.0 ([#1375](https://github.com/bitnami-labs/sealed-secrets/pull/1375))
- Bump github.com/onsi/ginkgo/v2 from 2.13.0 to 2.13.1 ([#1374](https://github.com/bitnami-labs/sealed-secrets/pull/1374))
- Bump k8s.io/klog/v2 from 2.100.1 to 2.110.1 ([#1367](https://github.com/bitnami-labs/sealed-secrets/pull/1367))
## v0.24.3
### Changelog
- fix a bug that kept a sealed secret's generation and observedgeneration out of sync ([#1360](https://github.com/bitnami-labs/sealed-secrets/pull/1360))
- fix: add pdb ([#1340](https://github.com/bitnami-labs/sealed-secrets/pull/1340))
- Bump k8s.io/code-generator from 0.28.2 to 0.28.3 ([#1358](https://github.com/bitnami-labs/sealed-secrets/pull/1340))
- Bump github.com/onsi/gomega from 1.28.1 to 1.29.0 ([#1357](https://github.com/bitnami-labs/sealed-secrets/pull/1357))
- Bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 ([#1353](https://github.com/bitnami-labs/sealed-secrets/pull/1353))
- Bump github.com/onsi/gomega from 1.28.0 to 1.28.1 ([#1351](https://github.com/bitnami-labs/sealed-secrets/pull/1351))
- Bump k8s.io/client-go from 0.28.2 to 0.28.3 ([#1350](https://github.com/bitnami-labs/sealed-secrets/pull/1350))
- Bump k8s.io/api from 0.28.2 to 0.28.3 ([#1349](https://github.com/bitnami-labs/sealed-secrets/pull/1349))
- Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 ([#1348](https://github.com/bitnami-labs/sealed-secrets/pull/1348))
## v0.24.2
### Changelog
- Fix issue where sealed secrets status is not updated if sealed secret… ([#1295](https://github.com/bitnami-labs/sealed-secrets/pull/1295))
- Bump golang.org/x/crypto from 0.13.0 to 0.14.0([#1341](https://github.com/bitnami-labs/sealed-secrets/pull/1341))
- Bump github.com/onsi/ginkgo/v2 from 2.12.1 to 2.13.0 ([#1342](https://github.com/bitnami-labs/sealed-secrets/pull/1342))
- Bump golang.org/x/net from 0.14.0 to 0.17.0 ([#1344](https://github.com/bitnami-labs/sealed-secrets/pull/1344))
## v0.24.1
### Changelog
- fix: remove trailing dashes for multidoc yaml ([#1335](https://github.com/bitnami-labs/sealed-secrets/pull/1335))
## v0.24.0
### Changelog
- feat: multidoc support for yaml and json ([#1304](https://github.com/bitnami-labs/sealed-secrets/pull/1304))
- Delete repeating warning message ([#1303](https://github.com/bitnami-labs/sealed-secrets/pull/1303))
- Add dashboard configmap annotations ([#1302](https://github.com/bitnami-labs/sealed-secrets/pull/1302))
- Update the golang version to the latest available one ([#1318](https://github.com/bitnami-labs/sealed-secrets/pull/1318))
- Update Linux installation process on README to have a way to dynamically get kubeseal version number ([#1294](https://github.com/bitnami-labs/sealed-secrets/pull/1294))
- Bump golang.org/x/crypto from 0.12.0 to 0.13.0 ([#1319](https://github.com/bitnami-labs/sealed-secrets/pull/1319))
- Bump github.com/onsi/ginkgo/v2 from 2.11.0 to 2.12.0 ([#1310](https://github.com/bitnami-labs/sealed-secrets/pull/1310))
- Bump k8s.io/client-go from 0.28.0 to 0.28.1 ([#1308](https://github.com/bitnami-labs/sealed-secrets/pull/1308))
- Bump k8s.io/code-generator from 0.28.0 to 0.28.1 ([#1307](https://github.com/bitnami-labs/sealed-secrets/pull/1307))
- Bump k8s.io/code-generator from 0.27.4 to 0.28.0 ([#1300](https://github.com/bitnami-labs/sealed-secrets/pull/1300))
- Bump k8s.io/client-go from 0.27.4 to 0.28.0 ([#1297](https://github.com/bitnami-labs/sealed-secrets/pull/1297))
## v0.23.1
### Changelog
- securityContext adjusted ([#1261](https://github.com/bitnami-labs/sealed-secrets/pull/1261))
- allow changing the default revisionHistoryLimit ([#1286](https://github.com/bitnami-labs/sealed-secrets/pull/1286))
- Bump k8s.io/client-go from 0.27.3 to 0.27.4 ([#1277](https://github.com/bitnami-labs/sealed-secrets/pull/1277))
- Bump k8s.io/code-generator from 0.27.3 to 0.27.4 ([#1278](https://github.com/bitnami-labs/sealed-secrets/pull/1278))
- Bump github.com/onsi/gomega from 1.27.8 to 1.27.10 ([#1279](https://github.com/bitnami-labs/sealed-secrets/pull/1279))
- Bump k8s.io/api from 0.27.3 to 0.27.4 ([#1281](https://github.com/bitnami-labs/sealed-secrets/pull/1281))
- Bump golang.org/x/crypto from 0.11.0 to 0.12.0 ([#1287](https://github.com/bitnami-labs/sealed-secrets/pull/1287)
## v0.23.0
### Changelog
- Add option for custom annotations and labels on sealing keypairs ([#1250](https://github.com/bitnami-labs/sealed-secrets/pull/1250))
- Add option to patch secrets instead of clobbering them ([#1259](https://github.com/bitnami-labs/sealed-secrets/pull/1259))
- Improve CLI UX error message while service is not found ([#1256](https://github.com/bitnami-labs/sealed-secrets/pull/1256))
- Add namespaced roles support to Helm chart ([#1240](https://github.com/bitnami-labs/sealed-secrets/pull/1240))
- add --log-info-stdout to chart ([#1238](https://github.com/bitnami-labs/sealed-secrets/pull/1238))
- Fix networkpolicy port + add egress ([#1243](https://github.com/bitnami-labs/sealed-secrets/pull/1243))
- Create index for Sealed Secrets public documentation ([#1264](https://github.com/bitnami-labs/sealed-secrets/pull/1264))
- Getting started page ([#1253](https://github.com/bitnami-labs/sealed-secrets/pull/1253))
- Create a FAQ document for Sealed Secrets public documentation ([#1269](https://github.com/bitnami-labs/sealed-secrets/pull/1269))
- Create a cryptography document for Sealed Secrets public documentation ([#1267](https://github.com/bitnami-labs/sealed-secrets/pull/1267))
- Validate existing Sealed Secrets document ([#1266](https://github.com/bitnami-labs/sealed-secrets/pull/1266))
- added support policy to readme ([#1265](https://github.com/bitnami-labs/sealed-secrets/pull/1265))
- Add missing document seperator ([#1260](https://github.com/bitnami-labs/sealed-secrets/pull/1260))
- Enable full linter support for golangci-lint ([#1262](https://github.com/bitnami-labs/sealed-secrets/pull/1262))
- Update minikube K8S versions ([#1251](https://github.com/bitnami-labs/sealed-secrets/pull/1251))
- Bump github.com/onsi/ginkgo/v2 from 2.10.0 to 2.11.0 ([#1254](https://github.com/bitnami-labs/sealed-secrets/pull/1254))
- Bump k8s.io/code-generator from 0.27.2 to 0.27.3 ([#1255](https://github.com/bitnami-labs/sealed-secrets/pull/1255))
- Bump golang.org/x/crypto from 0.10.0 to 0.11.0 ([#1268](https://github.com/bitnami-labs/sealed-secrets/pull/1268))
- Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 ([#1247](https://github.com/bitnami-labs/sealed-secrets/pull/1247))
- Bump golang.org/x/crypto from 0.9.0 to 0.10.0 ([#1248](https://github.com/bitnami-labs/sealed-secrets/pull/1248))
- Bump k8s.io/client-go from 0.27.2 to 0.27.3 ([#1244](https://github.com/bitnami-labs/sealed-secrets/pull/1244))
## v0.22.0
### Changelog
- Feature allow to skip set owner references ([#1200](https://github.com/bitnami-labs/sealed-secrets/pull/1200))
- Add additionalPrinterColumns for status and age ([#1217](https://github.com/bitnami-labs/sealed-secrets/pull/1217))
- Add replicas default value to the deployment manifest ([#1219](https://github.com/bitnami-labs/sealed-secrets/pull/1219))
- Create SECURITY.md ([#1226](https://github.com/bitnami-labs/sealed-secrets/pull/1226))
- Fix doc generated code directory ([#1227](https://github.com/bitnami-labs/sealed-secrets/pull/1227))
- Update generated code ([#1228](https://github.com/bitnami-labs/sealed-secrets/pull/1228))
- Update maintainers list ([#1237](https://github.com/bitnami-labs/sealed-secrets/pull/1237))
- Bump github.com/onsi/ginkgo/v2 from 2.9.4 to 2.9.5 ([#1215](https://github.com/bitnami-labs/sealed-secrets/pull/1215))
- Bump golang.org/x/crypto from 0.8.0 to 0.9.0 ([#1216](https://github.com/bitnami-labs/sealed-secrets/pull/1216))
- Bump k8s.io/apimachinery from 0.27.1 to 0.27.2 ([#1221](https://github.com/bitnami-labs/sealed-secrets/pull/1221))
- Bump k8s.io/client-go from 0.27.1 to 0.27.2 ([#1222](https://github.com/bitnami-labs/sealed-secrets/pull/1222))
- Bump github.com/mattn/go-isatty from 0.0.18 to 0.0.19 ([#1223](https://github.com/bitnami-labs/sealed-secrets/pull/1223))
- Bump k8s.io/code-generator from 0.27.1 to 0.27.2 ([#1225](https://github.com/bitnami-labs/sealed-secrets/pull/1225))
- Bump github.com/onsi/gomega from 1.27.6 to 1.27.7 ([#1229](https://github.com/bitnami-labs/sealed-secrets/pull/1229))
- Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.9.7 ([#1231](https://github.com/bitnami-labs/sealed-secrets/pull/1231))
- Bump github.com/onsi/gomega from 1.27.7 to 1.27.8 ([#1234](https://github.com/bitnami-labs/sealed-secrets/pull/1234))
- Bump github.com/onsi/ginkgo/v2 from 2.9.7 to 2.10.0 ([#1235](https://github.com/bitnami-labs/sealed-secrets/pull/1235))
## v0.21.0
### Changelog
- Enable logging info to stdout([#1195](https://github.com/bitnami-labs/sealed-secrets/pull/1195))
- Bump github.com/prometheus/client_golang from 1.15.0 to 1.15.1 ([#1204](https://github.com/bitnami-labs/sealed-secrets/pull/1204))
- Bump github.com/onsi/ginkgo/v2 from 2.9.2 to 2.9.4 ([#1203](https://github.com/bitnami-labs/sealed-secrets/pull/1203))
- Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 ([#1201](https://github.com/bitnami-labs/sealed-secrets/pull/1201))
- Bump k8s.io/code-generator from 0.26.3 to 0.27.1 ([#1188](https://github.com/bitnami-labs/sealed-secrets/pull/1188))
- Bump k8s.io/client-go from 0.26.3 to 0.27.1 ([#1187](https://github.com/bitnami-labs/sealed-secrets/pull/1187))
- Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 ([#1189](https://github.com/bitnami-labs/sealed-secrets/pull/1189))
## v0.20.5
### Changelog
- Generate embedded ObjectMeta in CRD ([#1177](https://github.com/bitnami-labs/sealed-secrets/pull/1177))
- Sign images using Cosign v2 ([#1176](https://github.com/bitnami-labs/sealed-secrets/pull/1176))
- ReProcess only on spec changes ([#1174](https://github.com/bitnami-labs/sealed-secrets/pull/1174))
- Upgrade sealed secrets to Go 1.20 ([#1173](https://github.com/bitnami-labs/sealed-secrets/pull/1173))
- Fix cosign command for goreleaser ([#1180](https://github.com/bitnami-labs/sealed-secrets/pull/1180))
- Fix kubeseal image sign for cosign v2 ([#1182](https://github.com/bitnami-labs/sealed-secrets/pull/1182))
- Remove automountServiceAccountToken parameter ([#1162](https://github.com/bitnami-labs/sealed-secrets/pull/1162))
- Verify chart with secret recreation disabled ([#1163](https://github.com/bitnami-labs/sealed-secrets/pull/1163))
- Bump golang.org/x/crypto from 0.7.0 to 0.8.0 ([#1175](https://github.com/bitnami-labs/sealed-secrets/pull/1175))
- Bump github.com/onsi/gomega from 1.27.5 to 1.27.6 ([#1169](https://github.com/bitnami-labs/sealed-secrets/pull/1169))
- Bump github.com/onsi/gomega from 1.27.4 to 1.27.5 ([#1168](https://github.com/bitnami-labs/sealed-secrets/pull/1168))
- Bump github.com/mattn/go-isatty from 0.0.17 to 0.0.18 ([#1167](https://github.com/bitnami-labs/sealed-secrets/pull/1167))
- Bump github.com/onsi/ginkgo/v2 from 2.9.1 to 2.9.2 ([#1166](https://github.com/bitnami-labs/sealed-secrets/pull/1166))
- Bump k8s.io/apimachinery from 0.26.2 to 0.26.3 ([#1160](https://github.com/bitnami-labs/sealed-secrets/pull/1160))
- Bump k8s.io/code-generator from 0.26.2 to 0.26.3 ([#1159](https://github.com/bitnami-labs/sealed-secrets/pull/1159))
- Bump k8s.io/api from 0.26.2 to 0.26.3 ([#1158](https://github.com/bitnami-labs/sealed-secrets/pull/1158))
- Bump k8s.io/client-go from 0.26.2 to 0.26.3 ([#1157](https://github.com/bitnami-labs/sealed-secrets/pull/1157))
- Update VIB release tag format ([#1165](https://github.com/bitnami-labs/sealed-secrets/pull/1165))
- Update VIB action ([#1164](https://github.com/bitnami-labs/sealed-secrets/pull/1164))
- Include dockerhub pull statistics in the project README ([#1172](https://github.com/bitnami-labs/sealed-secrets/pull/1172))
## v0.20.4
Incomplete release
## v0.20.3
Incomplete release
## v0.20.2
### Changelog
- Fix panic when skip recreate is enabled ([#1152](https://github.com/bitnami-labs/sealed-secrets/pull/1152))
## v0.20.1
### Changelog
- Parametrize cluster role name ([#1141](https://github.com/bitnami-labs/sealed-secrets/pull/1141))
- Allow automountServiceAccountToken to be set to false ([#1128](https://github.com/bitnami-labs/sealed-secrets/pull/1128))
- Allow to disable secret auto-recreation ([#1118](https://github.com/bitnami-labs/sealed-secrets/pull/1118))
- Bump github.com/onsi/gomega from 1.27.2 to 1.27.4 ([#1143](https://github.com/bitnami-labs/sealed-secrets/pull/1143))
- Bump k8s.io/client-go from 0.26.1 to 0.26.2 ([#1136](https://github.com/bitnami-labs/sealed-secrets/pull/1136))
- Bump k8s.io/code-generator from 0.26.1 to 0.26.2 ([#1137](https://github.com/bitnami-labs/sealed-secrets/pull/1137))
- Bump k8s.io/api from 0.26.1 to 0.26.2 ([#1135](https://github.com/bitnami-labs/sealed-secrets/pull/1135))
- Bump github.com/onsi/gomega from 1.27.1 to 1.27.2 ([#1134](https://github.com/bitnami-labs/sealed-secrets/pull/1134))
- Bump k8s.io/apimachinery from 0.26.1 to 0.26.2 ([#1133](https://github.com/bitnami-labs/sealed-secrets/pull/1133))
- Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 ([#1132](https://github.com/bitnami-labs/sealed-secrets/pull/1132))
- Bump github.com/onsi/ginkgo/v2 from 2.8.3 to 2.9.0 ([#1131](https://github.com/bitnami-labs/sealed-secrets/pull/1131))
- Bump golang.org/x/crypto from 0.6.0 to 0.7.0 ([#1130](https://github.com/bitnami-labs/sealed-secrets/pull/1130))
- Ensure vib runs only when PR is approved ([#1121](https://github.com/bitnami-labs/sealed-secrets/pull/1121))
- Run VIB Helm chart validations on push to main ([#1140](https://github.com/bitnami-labs/sealed-secrets/pull/1140))
- Update parameters table ([#1139](https://github.com/bitnami-labs/sealed-secrets/pull/1139))
- Update docs ([#1127](https://github.com/bitnami-labs/sealed-secrets/pull/1127))
## v0.20.0
Incomplete release
## v0.19.5
### Changelog
- Automated controller test on Openshift platforms (using ([VMware Image Builder](https://tanzu.vmware.com/image-builder)) ([#1107](https://github.com/bitnami-labs/sealed-secrets/pull/1107)).
- We now generate a Carvel package distribution of the controller ([#1104](https://github.com/bitnami-labs/sealed-secrets/pull/1104)).
- Bump golang.org/x/crypto from 0.5.0 to 0.6.0 ([#1108](https://github.com/bitnami-labs/sealed-secrets/pull/1108)).
- Bump github.com/onsi/gomega from 1.25.0 to 1.26.0 ([#1103](https://github.com/bitnami-labs/sealed-secrets/pull/1103)).
- Bump k8s.io/code-generator from 0.26.0 to 0.26.1 ([#1102](https://github.com/bitnami-labs/sealed-secrets/pull/1102)).
- Bump github.com/onsi/ginkgo/v2 from 2.7.0 to 2.8.0 ([#1101](https://github.com/bitnami-labs/sealed-secrets/pull/1101)).
- Bump k8s.io/api from 0.26.0 to 0.26.1 ([#1097](https://github.com/bitnami-labs/sealed-secrets/pull/1097)).
- Bump k8s.io/client-go from 0.26.0 to 0.26.1 ([#1096](https://github.com/bitnami-labs/sealed-secrets/pull/1096)).
- Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 ([#1094](https://github.com/bitnami-labs/sealed-secrets/pull/1094)).
- Bump k8s.io/apimachinery from 0.26.0 to 0.26.1 ([#1093](https://github.com/bitnami-labs/sealed-secrets/pull/1093)).
## v0.19.4
### Changelog
- Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.7.0 ([#1086](https://github.com/bitnami-labs/sealed-secrets/pull/1086)).
- Bump golang.org/x/crypto from 0.4.0 to 0.5.0 ([#1085](https://github.com/bitnami-labs/sealed-secrets/pull/1085)).
- Bump github.com/mattn/go-isatty from 0.0.16 to 0.0.17 ([#1083](https://github.com/bitnami-labs/sealed-secrets/pull/1083)).
- Bump github.com/onsi/gomega from 1.24.1 to 1.24.2 ([#1079](https://github.com/bitnami-labs/sealed-secrets/pull/1079)).
- Bump k8s.io/code-generator from 0.25.4 to 0.26.0 ([#1078](https://github.com/bitnami-labs/sealed-secrets/pull/1078)).
- Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 ([#1077](https://github.com/bitnami-labs/sealed-secrets/pull/1077)).
## v0.19.3
### Changelog
- Update to Go 1.19.4 ([#1073](https://github.com/bitnami-labs/sealed-secrets/pull/1073)).
- Bump k8s.io/client-go from 0.25.4 to 0.26.0 ([#1071](https://github.com/bitnami-labs/sealed-secrets/pull/1071)).
- Bump golang.org/x/crypto from 0.3.0 to 0.4.0 ([#1072](https://github.com/bitnami-labs/sealed-secrets/pull/1072)).
- Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 ([#1069](https://github.com/bitnami-labs/sealed-secrets/pull/1069)).
- Bump k8s.io/api from 0.25.4 to 0.26.0 ([#1068](https://github.com/bitnami-labs/sealed-secrets/pull/1068)).
- Bump golang.org/x/crypto from 0.2.0 to 0.3.0 ([#1063](https://github.com/bitnami-labs/sealed-secrets/pull/1063)).
- Bump k8s.io/client-go from 0.25.3 to 0.25.4 ([#1062](https://github.com/bitnami-labs/sealed-secrets/pull/1062)).
- Bump github.com/onsi/ginkgo/v2 from 2.5.0 to 2.5.1 ([#1061](https://github.com/bitnami-labs/sealed-secrets/pull/1061)).
## v0.19.2
### Changelog
- Distinguish std & k8s errors ([#1046](https://github.com/bitnami-labs/sealed-secrets/pull/1046)).
- Fix empty Group Version Kind ([#1044](https://github.com/bitnami-labs/sealed-secrets/pull/1044)).
- Regenerate code - detected some dummy changes ([#1033](https://github.com/bitnami-labs/sealed-secrets/pull/1033)).
- Decouple the kubeseal CLI from the kubeseal library ([#1030](https://github.com/bitnami-labs/sealed-secrets/pull/1030)).
- Remove namespaceFn ([#1029](https://github.com/bitnami-labs/sealed-secrets/pull/1029)).
## v0.19.1
### Changelog
- Fix release dockerhub container image name([#1014](https://github.com/bitnami-labs/sealed-secrets/pull/1014)).
## v0.19.0
### Changelog
- FEATURE: Support to recreate a deleted secret generated by the controller([#963](https://github.com/bitnami-labs/sealed-secrets/pull/963)).
- Update `golang.org/x/text` fixing CVE-2022-32149 ([#1008](https://github.com/bitnami-labs/sealed-secrets/pull/1008)).
- Expired certificate error now prints expiration date in kubeseal([#986](https://github.com/bitnami-labs/sealed-secrets/pull/986)).
## v0.18.5
### Changelog
- Fix `controller.yaml` having no image reference ([#977](https://github.com/bitnami-labs/sealed-secrets/pull/977))
## v0.18.4
### Changelog
- Upgrade Go version, dependencies and fix CVE-2022-27664 ([#960](https://github.com/bitnami-labs/sealed-secrets/pull/960))
- Move `kubeseal` to its own package ([#939](https://github.com/bitnami-labs/sealed-secrets/pull/939))
- Several refactors to the `controller` ([#940](https://github.com/bitnami-labs/sealed-secrets/pull/940) & [#947](https://github.com/bitnami-labs/sealed-secrets/pull/947))
- Generate a proper schema for the CRD ([#941](https://github.com/bitnami-labs/sealed-secrets/pull/941), [#957](https://github.com/bitnami-labs/sealed-secrets/pull/957), [#964](https://github.com/bitnami-labs/sealed-secrets/pull/964), [#966](https://github.com/bitnami-labs/sealed-secrets/pull/966) & [#970](https://github.com/bitnami-labs/sealed-secrets/pull/970))
- Publish `kubeseal` in a container image ([#921](https://github.com/bitnami-labs/sealed-secrets/pull/921))
## v0.18.3
Incomplete release
## v0.18.2
### Changelog
- Replace ioutil with io or os ([#895](https://github.com/bitnami-labs/sealed-secrets/pull/895))
- Remove CLI global variables and refactor flag handling ([#901](https://github.com/bitnami-labs/sealed-secrets/pull/901) & [#920](https://github.com/bitnami-labs/sealed-secrets/pull/920))
- Upgrade Go version, dependencies and tooling ([#904](https://github.com/bitnami-labs/sealed-secrets/pull/904) & [#905](https://github.com/bitnami-labs/sealed-secrets/pull/905))
## v0.18.1
### Changelog
- Add flags to set the rate limit for the verify endpoint ([#873](https://github.com/bitnami-labs/sealed-secrets/pull/873))
## v0.18.0
### Changelog
- Add capability to watch multiple namespaces ([#572](https://github.com/bitnami-labs/sealed-secrets/pull/572))
- Bump `gopkg.in/yaml.v3` to avoid CVE-2022-28948 ([#852](https://github.com/bitnami-labs/sealed-secrets/pull/852))
- Bump `prometheus/client_golang` and `crypto` dependencies to avoid CVE-2022-21698 and CVE-2022-27191 ([#831](https://github.com/bitnami-labs/sealed-secrets/pull/831))
- Sign container images with cosign ([#810](https://github.com/bitnami-labs/sealed-secrets/pull/810) and [#851](https://github.com/bitnami-labs/sealed-secrets/pull/851))
## v0.17.5
### Changelog
- Switch to dockerhub([#823](https://github.com/bitnami-labs/sealed-secrets/pull/823))
- Sign the release using cosign ([#814](https://github.com/bitnami-labs/sealed-secrets/pull/814))
## v0.17.4
### Changelog
- Fix linter errors running golangci-lint ([#751](https://github.com/bitnami-labs/sealed-secrets/pull/751))([#771](https://github.com/bitnami-labs/sealed-secrets/pull/771))
- Added kubeseal support for darwin/arm64 ([#752](https://github.com/bitnami-labs/sealed-secrets/pull/752))
- Bump prometheus/client_golang dependency to avoid CVE-2022-21698 ([#783](https://github.com/bitnami-labs/sealed-secrets/pull/783))
## v0.17.3
### Changelog
- Unseal templates even when encryptedData is empty ([#653](https://github.com/bitnami-labs/sealed-secrets/pull/653))
- Add new RBAC rules to make Sealed Secret compatible with K8s environments with RBAC enabled ([#715](https://github.com/bitnami-labs/sealed-secrets/pull/715))
- Allow re-encrypt/validate functionalities to work with named ports defined in the Sealed Secret service ([#726](https://github.com/bitnami-labs/sealed-secrets/pull/726))
- Fix verbose logging ([#727](https://github.com/bitnami-labs/sealed-secrets/pull/727))
## v0.17.2
### Changelog
- Fix issue fetching the certificate when the Sealed Secrets service has a named port ([#648](https://github.com/bitnami-labs/sealed-secrets/pull/648))
- Drop support for Go < 1.16 and bump client-go version ([#705](https://github.com/bitnami-labs/sealed-secrets/pull/705))
## v0.17.1
### Changelog
- Binaries to emit the proper version ([#683](https://github.com/bitnami-labs/sealed-secrets/pull/683))
- Re-enable publishing K8s manifests in GH releases ([#678](https://github.com/bitnami-labs/sealed-secrets/issues/678))
## v0.17.0
### Announcements
This release finally turns on the `update-status` feature flag that was introduced back in v0.12.0. The feature is considered stable (if it doesn't work for you, you can deactivate it by setting `SEALED_SECRETS_UPDATE_STATUS=0` in the controller manifest).
### Changelog
- Update rbac api version to `rbac.authorization.k8s.io/v1` ([#602](https://github.com/bitnami-labs/sealed-secrets/issues/602))
- Enable `--update-status` by default ([#583](https://github.com/bitnami-labs/sealed-secrets/pull/583))
## v0.16.0
### Changelog
- Add ability to template arbitrary data keys within resulting secrets ([#445](https://github.com/bitnami-labs/sealed-secrets/issues/445))
- Fix status CRD in controller.yaml (backport from helm chart) ([#567](https://github.com/bitnami-labs/sealed-secrets/issues/567))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/26?closed=1
## v0.15.0
This release contains a couple of fixes in the controller and manifests.
Notable mention: You can give the `--update-status` (also available as env var `SEALED_SECRETS_UPDATE_STATUS=1`) feature flag another try. We'll turn it on by default in ~~the next release~~ v0.17.0.
### Changelog
- Remove '{}' in CRD schema properties so that ArgoCD doesn't get confused ([#529](https://github.com/bitnami-labs/sealed-secrets/issues/529))
- Fix bug in status updates ([#223](https://github.com/bitnami-labs/sealed-secrets/issues/223))
- Add label-selector to filter Sealed Secrets ([#521](https://github.com/bitnami-labs/sealed-secrets/issues/521))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/28?closed=1
## v0.14.1
### Changelog
- Fixed `condition_info` prometheus metric disappearance ([#504](https://github.com/bitnami-labs/sealed-secrets/issues/504))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/27?closed=1
## v0.14.0
### Changelog
- Updated CustomResourceDefinition to apiextensions.k8s.io/v1 ([#490](https://github.com/bitnami-labs/sealed-secrets/issues/490))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/19?closed=1
## v0.13.1
### Changelog
- Make it easier to upgrade from ancient (pre v0.9.0) controllers ([#466](https://github.com/bitnami-labs/sealed-secrets/issues/466))
- Prometheus: add namespace to unseal error metric ([#463](https://github.com/bitnami-labs/sealed-secrets/issues/463))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/17?closed=1
## v0.12.6
# Announcements
This release contains a fix for [CVE-2020-14040](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040), which could have opened the possibility for an attacker to cause a DoS on the sealed-secret controller (provided the attacker can cause the controller to process a malicious sealed secret resource).
### Changelog
- Fix CVE-2020-14040 ([#456](https://github.com/bitnami-labs/sealed-secrets/issues/456))
- Don't require a namespace when using --raw and cluster-wide scope ([#451](https://github.com/bitnami-labs/sealed-secrets/issues/451))
- Unregister Prometheus Gauges associated to removed SealedSecrets conditions ([#422](https://github.com/bitnami-labs/sealed-secrets/issues/422))
- Add -f and -w flags as an alternative to stdin/out ([#439](https://github.com/bitnami-labs/sealed-secrets/issues/439))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/24?closed=1
## v0.12.5
### Changelog
- Add `condition_info` metric to expose SealedSecrets status ([#421](https://github.com/bitnami-labs/sealed-secrets/issues/421))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/23?closed=1
## v0.12.4
### Announcements
The binaries in this release have been rebuilt with the Go 1.14.3 toolchain. No other changes in binaries nor k8s manifests.
### Changelog
- Build with latest Go 1.14.x version ([#411](https://github.com/bitnami-labs/sealed-secrets/issues/411))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/22?closed=1
## v0.12.3
### Announcements
This release contains only a change in the `kubeseal` binary since v0.12.2. No controller nor k8s manifest changes.
### Changelog
- Fix `--merge-into` file permissions on Windows ([#407](https://github.com/bitnami-labs/sealed-secrets/issues/407))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/21?closed=1
## v0.12.2
### Announcements
This release contains important changes in manifests since v0.12.1.
It also contains a minor fix in kubeseal client.
Previously, users upgrading to v0.12.x from previous versions would experience:
```
The Deployment "sealed-secrets-controller" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/managed-by":"jsonnet", "app.kubernetes.io/name":"kubeseal", "app.kubernetes.io/part-of":"kubeseal", "app.kubernetes.io/version":"v0.12.1", "name":"sealed-secrets-controller"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable
```
This was caused by a bug in our official yaml manifests introduced in v0.12.0. Users of the Helm chart were unaffected.
By reverting this issue we're are going to cause the same bad experience for users who did perform a clean install of v0.12.x.
However, we believe such users are a minority.
### Changelog
- Revert "Add recommended labels" ([#404](https://github.com/bitnami-labs/sealed-secrets/issues/404))
- remove kubeconfig deps from recovery-unseal ([#394](https://github.com/bitnami-labs/sealed-secrets/issues/394))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/19?closed=1
## v0.12.1
### Announcements
This release contains changes in `kubeseal` and `controller` binaries but no changes in manifests since v0.12.0.
This release is a fixup release that turns off the status update feature introduced in v0.12.0. Several users have reported
a severe bug (an infinite feedback loop where the controller kept updating SealedSecrets and consuming lots of CPU).
In order to turn it back on you need to manually pass the `--update-status` flag to the *controller* (or pass the `SEALED_SECRETS_UPDATE_STATUS=1` env var)
### Changelog
- Make it easier to use --raw from stdin ([#386](https://github.com/bitnami-labs/sealed-secrets/issues/386))
- Deactivate status updates unless a feature flag is explicitly passed ([#388](https://github.com/bitnami-labs/sealed-secrets/issues/388))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/18?closed=1
## v0.12.0
### Announcements
This release contains changes in `kubeseal` and `controller` binaries as well as a minor change to the k8s manifest (see [#381](https://github.com/bitnami-labs/sealed-secrets/issues/381)); keep that in mind if you don't rely on the official k8s manifests, including the community-maintained Helm chart.
# Status field
Now the Sealed Secrets controller updates the `Status` field of the `SealedSecrets` resources.
This makes it easier for automation like ArgoCD to detect whether (and when) the controller has reacted to changes in the SealedSecret resources and produced a Secret. It also shows an error message in case it fails (many users are not familiar with k8s events and they may find it easier to see the error message in the status).
# Prometheus
The Sealed Secrets controller now exports prometheus metrics. See also [contrib/prometheus-mixin](contrib/prometheus-mixin) and `controller-podmonitor.yaml`.
### Changelog
- Update Status field ([#346](https://github.com/bitnami-labs/sealed-secrets/issues/346))
- Add prometheus metrics ([#177](https://github.com/bitnami-labs/sealed-secrets/issues/177))
- Upgrade k8s client-go to v0.16.8 ([#380](https://github.com/bitnami-labs/sealed-secrets/issues/380))
- kubeseal no longer emits empty `status: {}` field ([#383](https://github.com/bitnami-labs/sealed-secrets/issues/383))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/16?closed=1
## v0.11.0
### Announcements
This release contains only changes in kubeseal binary (no k8s manifest changes required).
### For those who choose the name and namespace after sealing the secret
Creating secrets with namespace-wide and cluster-wide scopes is now easier as it no longer requires manually adding annotations in the input Secret before passing it to `kubeseal`. This was often the root cause of many support requests. Now all you need to do is to:
```
$ kubeseal --scope namespace-wide <input-secret.yaml >output-sealed-secret.json
```
### Changelog
- Honour --scope flag ([#371](https://github.com/bitnami-labs/sealed-secrets/issues/371))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/15?closed=1
## v0.10.0
### Announcements
This release supports the ARM 32 bit and 64 bit architectures, both on the client and the controller sides.
We also end the silly streak of patch level releases that actually contained features. We'll try to bump the minor version on every release except true hotfixes.
### Changelog
- Provide multi-arch Container image for Sealed Secrets controller ([#349](https://github.com/bitnami-labs/sealed-secrets/issues/349))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/2?closed=1
## v0.9.8
### Announcements
This release contains only changes in Linux `kubeseal-arm` and `kubeseal-arm64` binaries. There are no changes in the docker images, nor in the `x86_64` binaries for any of the supported OS.
### Changelog
- Fix bad release of Linux ARM7 and ARM64 binaries ([#362](https://github.com/bitnami-labs/sealed-secrets/issues/362))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/14?closed=1
## v0.9.7
### Announcements
This release contains changes in `kubeseal` and `controller` binaries as well as a minor change to the k8s manifest (see [#338](https://github.com/bitnami-labs/sealed-secrets/issues/338)); keep that in mind if you don't rely on the official k8s manifests, including the community-maintained Helm chart.
### Allow overwriting existing secrets
By default, the sealed-secrets controller doesn't unseal a SealedSecret over an existing Secret resource (i.e. a resource that has not been created by the sealed-secrets controller in the first place).
This is an important safeguard, not only to catch accidental overwrites due to typos etc, but also as a security measure: the sealed-secrets controller can create/update Secret resources even if the user who has the RBAC rights to create the SealedSecret resource doesn't have the right to create/update a Secret resource. We didn't want the sealed-secret controller to give its users more effective rights than what they would otherwise have without the sealed-secrets controller. A simple way to achieve that was permit only updates (overwrites) to Secret resources that were already owned by the sealed-secrets controller (which also seemed a sensible thing to do since it protects from accidental overwrites).
However, this behavior gets in the way when you're just starting to use SealedSecrets and want to migrate your existing Secrets into SealedSecrets.
You now can just annotate your `Secret`s with `sealedsecrets.bitnami.com/managed: true` thus indicating that they can be safely overwritten by the sealed-secrets controller. This doesn't loosen our security model since you'd have to have RBAC rights to annotate the existing secrets (e.g. with `kubectl annotate`) or you can ask your friendly admins to do it on your behalf.
### Changelog
- Release includes ARMv7 and ARM64 binaries (although no docker images yet) ([#173](https://github.com/bitnami-labs/sealed-secrets/issues/173))
- Set `fsGroup` to `nobody` in order to support `BoundServiceAccountTokenVolume` ([#338](https://github.com/bitnami-labs/sealed-secrets/issues/338))
- Add `--force-empty-data` flag to allow (un)sealing an empty secret ([#334](https://github.com/bitnami-labs/sealed-secrets/issues/334))
- Avoid forcing the default namespace when sealing a cluster-wide secret ([#323](https://github.com/bitnami-labs/sealed-secrets/issues/323))
- Introduce the `sealedsecrets.bitnami.com/managed: true` annotation which controls overwriting existing secrets ([#331](https://github.com/bitnami-labs/sealed-secrets/issues/331))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/13?closed=1
## v0.9.6
### Announcements
This release contains only changes in `kubeseal` and `controller` binaries (no k8s manifest changes required).
### Preliminary support for running multiple controllers
It always been possible in theory to run multiple controller instance in multiple namespaces,
each with their own sealing encryption keys and thus each able to unseal secrets intended for it.
However, doing so created a lot of noise in the logs, since each controller wouldn't know which
secrets are meant to be decryptable, but failed to decrypt, and which it ought to ignore.
Since v0.9.6 you can reduce this noise by setting the `--all-namespaces` flag to false (also via the env var `SEALED_SECRETS_ALL_NAMESPACES=false`).
### Changelog
- Give an option to search only the current namespace ([#316](https://github.com/bitnami-labs/sealed-secrets/issues/316))
- Support parsing multiple private keys in --recovery-private-key ([#325](https://github.com/bitnami-labs/sealed-secrets/issues/325))
- Add klog flags so we can troubleshoot k8s client ([#320](https://github.com/bitnami-labs/sealed-secrets/issues/320))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/12?closed=1
## v0.9.5
### Announcements
This release contains only changes in `kubeseal` binary (no k8s manifest changes required).
### Changelog
- Improve error reporting in case of missing kubeconfig when inferring namespace ([#313](https://github.com/bitnami-labs/sealed-secrets/issues/313))
- Teach kubeseal to decrypt using backed up secrets ([#312](https://github.com/bitnami-labs/sealed-secrets/issues/312))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/11?closed=1
## v0.9.4
### Announcements
This release contains only changes in `kubeseal` and `controller` binaries (no k8s manifest changes required).
### Changelog
- Remove tty warning in `--fetch-cert` (regression caused by #303 released in v0.9.3) ([#306](https://github.com/bitnami-labs/sealed-secrets/issues/306))
- Implement `--recovery-unseal` to help with disaster recovery ([#307](https://github.com/bitnami-labs/sealed-secrets/issues/307))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/10?closed=1
## v0.9.3
### Announcements
This release contains only changes in `kubeseal` and `controller` binaries (no k8s manifest changes required).
### Changelog
- Implement `--key-cutoff-time` ([#299](https://github.com/bitnami-labs/sealed-secrets/issues/299))
- Warn if stdin is a terminal ([#303](https://github.com/bitnami-labs/sealed-secrets/issues/303))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/9?closed=1
## v0.9.2
### Announcements
This release contains only changes in `kubeseal` and `controller` binaries (no k8s manifest changes required).
### Periodic key renewal and offline certificates
A few people have raised concerns of how will automatic key+certificate renewal affect the offline signing workflow.
First, a clarification: nothing changed. You can keep using your old certificates; it's just that if you do, you won't benefit from the additional security given from the periodic key renewal.
In order to simplify the workflow for those who do want to benefit from the key renewal, but at the same time
cannot access the target cluster (while not being completely offline), we offer a little feature that will help: `--cert` has learned to accept http(s) URLs. You can point it to a place where you serve up-to-date certificates for your clusters (tip/idea: you can expose the controller's cert.pem files with an Ingress).
### Changelog
- Accept URLs in `--cert` ([#281](https://github.com/bitnami-labs/sealed-secrets/issues/281))
- Improve logs/events in case of decryption error ([#274](https://github.com/bitnami-labs/sealed-secrets/issues/274))
- Reduce likelihood of name/namespace mismatch when using `--merge-into` ([#286](https://github.com/bitnami-labs/sealed-secrets/issues/286))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/8?closed=1
## v0.9.1
- Make manifests compatible with k8s 1.16.x ([#269](https://github.com/bitnami-labs/sealed-secrets/issues/269))
- Fix non-strict scopes with --raw ([#276](https://github.com/bitnami-labs/sealed-secrets/issues/276))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/7?closed=1
## v0.9.0
## Announcement
### Private key renewal
This release turns on an important security feature: a new private key will be now created every 30 days by default.
Existing sealed-secrets resources will still be decrypted until the keys are manually phased out.
You can read more about this feature and the problem of **secret rotation** and how it interacts with Sealed Secrets in this [README section](https://github.com/bitnami-labs/sealed-secrets#secret-rotation) or in the original GH issue #137.
This feature alone is not technically a breaking change for people who use the offline workflow with `kubeseal --cert`, since old keys are not rotated out automatically. Users would be required to update their offline certs only when they purge old keys manually (we might introduce automatic purging in the future).
That said, to reap the benefits of key renewal, users of the offline workflow are encouraged to update their offline certificates every time a new key is generated (by default every 30 days).
### Pre-v0.7.0 clients
If you are using kubeseal clients older than v0.7.0, please upgrade. Since this release the controller
will no longer accept the "v1" format of the encrypted "data" field and instead it will only support the
"encryptedData" field.
If you have old sealed secret resources lying around, you can easily upgrade them by invoking:
```bash
kubeseal --re-encrypt <old.yaml >new.yaml
```
### Update items
Since version v0.7.0 it was possible to update individual items in the `encryptedData` field of the Sealed Secret resource, but you had to manually copy&paste the encrypted items into an existing resource file. The required steps were never spelled out in the documentation and to be fair it always felt quite awkward.
Now `kubectl` has learned how to update an existing secret, whilst preserving the same general operation principles, namely staying out of the business of actually crafting the secret itself (`kubectl create secret ...` and its various flags like `--from-file`, `--from-literal`, etc). Example:
```bash
$ kubectl create secret generic mysecret --dry-run -o json --from-file=foo=/tmp/foo \
| kubeseal >sealed.json
$ kubectl create secret generic mysecret --dry-run -o json --from-file=bar=/tmp/bar \
| kubeseal --merge-into sealed.json
```
### Changelog
- Doc improvements.
- Rename "key rotation" to "key renewal" since the terminology was confusing.
- Key renewal is enabled by default every 30 days ([#236](https://github.com/bitnami-labs/sealed-secrets/issues/236))
- You can now use env vars such as SEALED_SECRETS_FOO_BAR to customize the controller ([#234](https://github.com/bitnami-labs/sealed-secrets/issues/234))
- Deactivating by default deprecated "v1" encrypted data format (used by pre-v0.7.0 clients) ([#235](https://github.com/bitnami-labs/sealed-secrets/issues/235))
- Fix RBAC rules for /v1/rotate and /v1/validate fixing #166 for good ([#249](https://github.com/bitnami-labs/sealed-secrets/issues/249))
- Implement the --merge-into command ([#253](https://github.com/bitnami-labs/sealed-secrets/issues/253))
- Add the `-o` alias for `--format` ([#261](https://github.com/bitnami-labs/sealed-secrets/issues/261))
- Add the `--raw` command for only encrypting single items ([#257](https://github.com/bitnami-labs/sealed-secrets/issues/257))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/1?closed=1
## v0.8.3
### Announcements
This release contains a fix for a possible secret leak that can happen when sealing existing secrets that have been retrieved from a cluster (e.g. with `kubectl get`) where they have been created with `kubectl apply` (as opposed to `kubectl create`).
This potential problem has been introduced v0.8.0 when kubeseal learned how to preserve annotations and labels.
Please check your existing sealed secret sources for any annotation `kubectl.kubernetes.io/last-applied-configuration`, because that annotation would contain your original secrets in clear.
This release strips this annotation (and a similar annotation created by the `kubecfg` tool)
### Changelog
Fixes in this release:
- Round-tripping secrets can leak clear-text in last-applied-configuration ([#227](https://github.com/bitnami-labs/sealed-secrets/issues/227))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/6?closed=1
## v0.8.2
Fixes in this release:
- Endless loop in controller on invalid base64 encrypted data bug ([#201](https://github.com/bitnami-labs/sealed-secrets/issues/201))
- Fix RBAC for /v1/cert.pem public key in isolated namespaces, removes most use cases for offline sealing with `--cert` ([#208](https://github.com/bitnami-labs/sealed-secrets/issues/208),[#166](https://github.com/bitnami-labs/sealed-secrets/issues/166))
- Accept and seal stringData into secret ([#221](https://github.com/bitnami-labs/sealed-secrets/issues/221))
- Fix a couple of blockers for enabling (still experimental) key rotation ([#185](https://github.com/bitnami-labs/sealed-secrets/issues/185), [#219](https://github.com/bitnami-labs/sealed-secrets/issues/219), [#218](https://github.com/bitnami-labs/sealed-secrets/issues/218))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/5?closed=1
## v0.8.1
Fixes in this release:
- Solve kubectl auth issues with clusters using `client.authentication.k8s.io/v1beta1` config by upgrading to client-go v12.0.0 ([#183](https://github.com/bitnami-labs/sealed-secrets/issues/183))
- Fix controller crash when writing logs due to read-only root FS ([#200](https://github.com/bitnami-labs/sealed-secrets/issues/200))
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/4?closed=1
## v0.8.0
The main improvements in this release are:
- support for annotations and labels ([#92](https://github.com/bitnami-labs/sealed-secrets/issues/92))
- support for secrets rotation opt-in ([#137](https://github.com/bitnami-labs/sealed-secrets/issues/137))
- fix bug with OwnerReferences handling ([#127](https://github.com/bitnami-labs/sealed-secrets/issues/127))
- EKS support; client-go version bump to release-7.0 ([#110](https://github.com/bitnami-labs/sealed-secrets/issues/110))
- Instructions to run on GKE when user is not cluster-admin ([#111](https://github.com/bitnami-labs/sealed-secrets/issues/111))
- Windows binary of kubeseal ([#85](https://github.com/bitnami-labs/sealed-secrets/issues/85))
- Internal codebase modernization (e.g. switch to Go modules)
The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1
Many thanks for all the folks who contributed to this release!
## v0.7.0
Big change for this release is the switch to **per-key encrypted values**.
- ("Keys" as in "object key/value", not as in "encryption key". English is hard.)*
- Previously we generated a single big encrypted blob for each Secret, now we encrypt each value in the Secret separately, with the keys in plain text. This allows:
- Existing keys can now be renamed and deleted without re-encrypting the value(s).
- New keys/values can be added to the SealedSecret without re-encrypting (or even having access to!) the existing values.
- Note that (as before) the encrypted values are still tied to the namespace/name of the enclosing Secret/SealedSecret, so can't be moved to another Secret.
(The [cluster-wide annotation](https://github.com/bitnami-labs/sealed-secrets/blob/bda0af6a6a8abebc9ff359dd2e5e22d54cb40798/pkg/apis/sealed-secrets/v1alpha1/types.go#L16) _does_ allow this, with the corresponding caveats, as before)
- The `kubeseal` tool does not yet have an option to output _just_ a single value, but you can safely mix+match the individual values from `kubeseal` output with an existing SealedSecret. Improving `kubeseal` support for this feature is still an open action item.
- Existing/older "all-in-one" SealedSecrets are declared deprecated, but will continue to be supported by the controller for the foreseeable future. New invocations of the `kubeseal` tool now produce per-key encrypted output - if you need to produce the older format, just use an older `kubeseal`. Please raise a github issue if you have a use-case that requires supporting "all-in-one" SealedSecrets going forward.
- Note the CRD schema used for server-side validation in k8s >=1.9 has been temporarily removed, because it was unable to support the new per-key structure correctly (see [kubernetes/kubernetes#59485](https://github.com/kubernetes/kubernetes/issues/59485)).
- Huge thanks to @sullerandras for the code and his persistence in getting this merged!
## v0.6.0
- Support "cluster wide" secrets, that are not restricted to the original namespace
- Set `sealedsecrets.bitnami.com/cluster-wide: "true"` annotation
- Warning: cluster-wide SealedSecrets can be decrypted by anyone who can create a SealedSecret in your cluster
- Move to client-go v5.0
- Move to bitnami-labs github org
- Fix bug in schema validation for k8s 1.9
## v0.5.1
**Note:** this version moves TPR/CRD definition into a separate file. To install, you need `controller.yaml` *and* either `sealedsecret-tpr.yaml` or `sealedsecret-crd.yaml`
- Add CRD definition and TPR->CRD migration documentation
- Add `kubeseal --fetch-cert` to dump server cert to stdout, for later offline use with `kubeseal --cert`
- Better sanitization of input object to `kubeseal`
(v0.5.1 fixes a travis/github release issue with v0.5.0)
## v0.5.0
## v0.4.0
- controller: deployment security hardening: non-root uid and read-only rootfs
- `kubeseal`: Include oidc and gcp auth provider plugins
- `kubeseal`: Add support for YAML output
## v0.3.1
- Add `controller-norbac.yaml` to the release build. This is `controller.yaml` without RBAC rules and related service account - for environments where RBAC is not yet supported, [like Azure](https://github.com/Azure/acs-engine/issues/680).
- Fix missing controller RBAC ClusterRoleBinding in v0.3.0
## v0.3.0
Rename everything to better represent project scope. Better to do this early (now) and apologies for the disruption.
- Rename repo and golang import path -> `bitnami/sealed-secrets`
- Rename cli tool -> `kubeseal`
- Rename `SealedSecret` apiGroup -> `bitnami.com`
## v0.2.1
- Fix invalid field `resourceName` in v0.2.0 controller.yaml (thanks @Globegitter)
## v0.2.0
- Client tool has better defaults, and can fetch the certificate automatically from the controller.
- Improve release process to include pre-built Linux and OSX x86-64 binaries.
## v0.1.0
Basic functionality is complete.
## v0.0.1
- Clean up controller.jsonnet
- Switch to quay.io (docker hub doesn't offer robot accounts??)
- Add deploy section to .travis.yml
================================================
FILE: SECURITY.md
================================================
# Security Release Process
The community has adopted this security disclosure and response policy to ensure we responsibly handle critical issues.
## Supported Versions
For a list of support versions that this project will potentially create security fixes for, please refer to the [Releases page](https://github.com/bitnami-labs/sealed-secrets/blob/main/CONTRIBUTING.md#release-process) on this project's GitHub and/or project related documentation on release cadence and support.
## Reporting a Vulnerability - Private Disclosure Process
Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to this project privately, to minimize attacks against current users before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.
If you know of a publicly disclosed security vulnerability for this project, please **IMMEDIATELY** contact the [maintainers](mailto:sealed-secrets.pdl@broadcom.com) of this project privately. The use of encrypted email is encouraged.
>**IMPORTANT:** Do not file public issues on GitHub for security vulnerabilities
To report a vulnerability or a security-related issue, please contact the maintai
gitextract_5lwfnjj2/ ├── .gitattributes ├── .github/ │ ├── CODEOWNERS │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.md │ │ └── feature_request.md │ ├── PULL_REQUEST_TEMPLATE.md │ ├── dependabot.yml │ └── workflows/ │ ├── ci.yml │ ├── cosign.pub │ ├── helm-release.yaml │ ├── helm-vib-lint.yaml │ ├── helm-vib.yaml │ ├── publish-release.yaml │ ├── release.yaml │ └── stale.yml ├── .gitignore ├── .golangci.yaml ├── .goreleaser.yml ├── .vib/ │ ├── vib-pipeline.json │ └── vib-platform-verify-openshift.json ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── MAINTAINERS.md ├── Makefile ├── README.md ├── RELEASE-NOTES.md ├── SECURITY.md ├── carvel/ │ └── package.yaml ├── cmd/ │ ├── controller/ │ │ ├── main.go │ │ └── main_test.go │ └── kubeseal/ │ ├── main.go │ └── main_test.go ├── contrib/ │ └── prometheus-mixin/ │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── alerts/ │ │ ├── alerts.libsonnet │ │ └── sealed-secrets-alerts.libsonnet │ ├── config.libsonnet │ ├── dashboards/ │ │ ├── dashboards.libsonnet │ │ └── sealed-secrets-controller.json │ ├── lib/ │ │ ├── alerts.jsonnet │ │ ├── dashboards.jsonnet │ │ └── rules.jsonnet │ ├── mixin.libsonnet │ ├── rules/ │ │ └── rules.libsonnet │ └── tests.yaml ├── controller-norbac.jsonnet ├── controller-podmonitor.jsonnet ├── controller.jsonnet ├── docker/ │ ├── controller.Dockerfile │ └── kubeseal.Dockerfile ├── docs/ │ ├── GKE.md │ ├── bring-your-own-certificates.md │ ├── developer/ │ │ ├── README.md │ │ ├── controller.md │ │ ├── crypto.md │ │ ├── kubeseal.md │ │ └── swagger.yml │ └── examples/ │ └── config-template/ │ ├── README.md │ ├── deployment.yaml │ └── sealedsecret.yaml ├── githooks/ │ └── pre-commit/ │ └── doc-toc ├── go.mod ├── go.sum ├── hack/ │ ├── boilerplate.go.txt │ ├── tools.go │ └── update-codegen.sh ├── helm/ │ └── sealed-secrets/ │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── crds/ │ │ └── bitnami.com_sealedsecrets.yaml │ ├── dashboards/ │ │ └── sealed-secrets-controller.json │ ├── templates/ │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── cluster-role-binding.yaml │ │ ├── cluster-role.yaml │ │ ├── configmap-dashboards.yaml │ │ ├── deployment.yaml │ │ ├── extra-list.yaml │ │ ├── ingress.yaml │ │ ├── networkpolicy.yaml │ │ ├── pdb.yaml │ │ ├── psp-clusterrole.yaml │ │ ├── psp-clusterrolebinding.yaml │ │ ├── psp.yaml │ │ ├── role-binding.yaml │ │ ├── role.yaml │ │ ├── service-account.yaml │ │ ├── service.yaml │ │ ├── servicemonitor.yaml │ │ └── tls-secret.yaml │ └── values.yaml ├── integration/ │ ├── controller_test.go │ ├── integration_suite_test.go │ └── kubeseal_test.go ├── jsonnetfile.json ├── jsonnetfile.lock.json ├── kube-fixes.libsonnet ├── pkg/ │ ├── apis/ │ │ └── sealedsecrets/ │ │ └── v1alpha1/ │ │ ├── doc.go │ │ ├── register.go │ │ ├── sealedsecret_expansion.go │ │ ├── sealedsecret_test.go │ │ ├── types.go │ │ └── zz_generated.deepcopy.go │ ├── buildinfo/ │ │ └── version.go │ ├── client/ │ │ ├── clientset/ │ │ │ └── versioned/ │ │ │ ├── clientset.go │ │ │ ├── fake/ │ │ │ │ ├── clientset_generated.go │ │ │ │ ├── doc.go │ │ │ │ └── register.go │ │ │ ├── scheme/ │ │ │ │ ├── doc.go │ │ │ │ └── register.go │ │ │ └── typed/ │ │ │ └── sealedsecrets/ │ │ │ └── v1alpha1/ │ │ │ ├── doc.go │ │ │ ├── fake/ │ │ │ │ ├── doc.go │ │ │ │ ├── fake_sealedsecret.go │ │ │ │ └── fake_sealedsecrets_client.go │ │ │ ├── generated_expansion.go │ │ │ ├── sealedsecret.go │ │ │ └── sealedsecrets_client.go │ │ ├── informers/ │ │ │ └── externalversions/ │ │ │ ├── factory.go │ │ │ ├── generic.go │ │ │ ├── internalinterfaces/ │ │ │ │ └── factory_interfaces.go │ │ │ └── sealedsecrets/ │ │ │ ├── interface.go │ │ │ └── v1alpha1/ │ │ │ ├── interface.go │ │ │ └── sealedsecret.go │ │ └── listers/ │ │ └── sealedsecrets/ │ │ └── v1alpha1/ │ │ ├── expansion_generated.go │ │ └── sealedsecret.go │ ├── controller/ │ │ ├── controller.go │ │ ├── controller_test.go │ │ ├── funcs.go │ │ ├── keyregistry.go │ │ ├── keyregistry_test.go │ │ ├── keys.go │ │ ├── keys_test.go │ │ ├── main.go │ │ ├── main_test.go │ │ ├── metrics.go │ │ ├── metrics_test.go │ │ ├── server.go │ │ ├── server_test.go │ │ ├── signal_notwin.go │ │ └── signal_windows.go │ ├── crypto/ │ │ ├── crypto.go │ │ ├── keys.go │ │ └── keys_test.go │ ├── flagenv/ │ │ ├── flagenv.go │ │ └── flagenv_test.go │ ├── kubeseal/ │ │ ├── kubeseal.go │ │ └── kubeseal_test.go │ ├── log/ │ │ └── log.go │ ├── multidocyaml/ │ │ ├── multidocyaml.go │ │ └── multidocyaml_test.go │ └── pflagenv/ │ ├── flagenv.go │ └── flagenv_test.go ├── schema-v1alpha1.yaml ├── scripts/ │ ├── check-k8s │ ├── kubeseal-sudo │ └── release-check ├── site/ │ ├── .gitignore │ ├── README.md │ ├── archetypes/ │ │ └── default.md │ ├── config.yaml │ ├── content/ │ │ ├── community/ │ │ │ └── _index.html │ │ ├── contributors/ │ │ │ ├── agarcia-oss.md │ │ │ ├── alvneiayu.md │ │ │ └── index.md │ │ ├── docs/ │ │ │ ├── CONTRIBUTING.md │ │ │ ├── _index.md │ │ │ ├── img/ │ │ │ │ └── _index.md │ │ │ └── latest/ │ │ │ ├── README.md │ │ │ ├── _index.md │ │ │ ├── background/ │ │ │ │ ├── README.md │ │ │ │ ├── _index.md │ │ │ │ └── cryptography.md │ │ │ ├── howto/ │ │ │ │ ├── README.md │ │ │ │ ├── _index.md │ │ │ │ └── validate-sealed-secrets.md │ │ │ ├── project/ │ │ │ │ ├── .placeholder │ │ │ │ └── _index.md │ │ │ ├── reference/ │ │ │ │ ├── README.md │ │ │ │ ├── _index.md │ │ │ │ └── faq.md │ │ │ └── tutorials/ │ │ │ ├── README.md │ │ │ ├── _index.md │ │ │ ├── getting-started.md │ │ │ └── install-sealed-secrets.md │ │ ├── posts/ │ │ │ └── _index.md │ │ └── resources/ │ │ └── _index.html │ ├── data/ │ │ └── docs/ │ │ ├── latest-toc.yml │ │ └── toc-mapping.yml │ ├── resources/ │ │ └── _gen/ │ │ └── assets/ │ │ └── scss/ │ │ └── scss/ │ │ ├── site.scss_8967e03afb92eb0cac064520bf021ba2.content │ │ └── site.scss_8967e03afb92eb0cac064520bf021ba2.json │ └── themes/ │ └── template/ │ ├── archetypes/ │ │ └── default.md │ ├── assets/ │ │ └── scss/ │ │ ├── _base.scss │ │ ├── _components.scss │ │ ├── _footer.scss │ │ ├── _header.scss │ │ ├── _mixins.scss │ │ ├── _variables.scss │ │ └── site.scss │ ├── layouts/ │ │ ├── _default/ │ │ │ ├── _markup/ │ │ │ │ ├── render-image.html │ │ │ │ └── render-link.html │ │ │ ├── baseof.html │ │ │ ├── docs.html │ │ │ ├── list.html │ │ │ ├── posts.html │ │ │ ├── search.html │ │ │ ├── section.html │ │ │ ├── single.html │ │ │ ├── summary.html │ │ │ ├── tag.html │ │ │ └── versions.html │ │ ├── index.html │ │ ├── index.redirects │ │ ├── partials/ │ │ │ ├── blog-post-card.html │ │ │ ├── contributors.html │ │ │ ├── docs-right-bar.html │ │ │ ├── docs-sidebar.html │ │ │ ├── footer.html │ │ │ ├── getting-started.html │ │ │ ├── header.html │ │ │ ├── hero.html │ │ │ ├── homepage-grid.html │ │ │ ├── pagination.html │ │ │ └── use-cases.html │ │ └── shortcodes/ │ │ └── readfile.html │ └── static/ │ ├── fonts/ │ │ ├── Open Font License.md │ │ └── README.md │ └── js/ │ └── main.js ├── vendor_jsonnet/ │ └── kube-libsonnet/ │ ├── .travis.yml │ ├── CODEOWNERS │ ├── LICENSE │ ├── Makefile │ ├── README.md │ ├── bitnami.libsonnet │ ├── examples/ │ │ ├── guestbook/ │ │ │ └── guestbook.jsonnet │ │ └── wordpress/ │ │ ├── backend.jsonnet │ │ ├── frontend.jsonnet │ │ └── wordpress.jsonnet │ ├── kube.libsonnet │ └── tests/ │ ├── Dockerfile │ ├── Makefile │ ├── docker-compose.yaml │ ├── golden/ │ │ ├── test-sealedsecrets-datalines.json │ │ ├── test-sealedsecrets.json │ │ ├── test-simple-validate.json │ │ └── unittests.json │ ├── test-sealedsecrets-datalines.jsonnet │ ├── test-sealedsecrets-datalines.txt │ ├── test-sealedsecrets.jsonnet │ ├── test-simple-validate.jsonnet │ └── unittests.jsonnet └── versions.env
SYMBOL INDEX (456 symbols across 57 files)
FILE: cmd/controller/main.go
constant flagEnvPrefix (line 23) | flagEnvPrefix = "SEALED_SECRETS"
constant defaultKeyRenewPeriod (line 24) | defaultKeyRenewPeriod = 30 * 24 * time.Hour
constant defaultKeyOrderPriority (line 25) | defaultKeyOrderPriority = "CertNotBefore"
function bindControllerFlags (line 33) | func bindControllerFlags(f *controller.Flags, fs *flag.FlagSet) {
function bindFlags (line 71) | func bindFlags(f *controller.Flags, fs *flag.FlagSet, gofs *goflag.FlagS...
function mainE (line 85) | func mainE(w io.Writer, fs *flag.FlagSet, gofs *goflag.FlagSet, args []s...
function main (line 125) | func main() {
FILE: cmd/controller/main_test.go
function TestVersion (line 11) | func TestVersion(t *testing.T) {
FILE: cmd/kubeseal/main.go
constant flagEnvPrefix (line 31) | flagEnvPrefix = "SEALED_SECRETS"
type cliFlags (line 39) | type cliFlags struct
type config (line 61) | type config struct
function newConfig (line 67) | func newConfig(clientConfig clientcmd.ClientConfig, flags *cliFlags) *co...
function initClient (line 75) | func initClient(kubeConfigPath string, cfgOverrides *clientcmd.ConfigOve...
function bindFlags (line 82) | func bindFlags(f *cliFlags, fs *flag.FlagSet) {
function bindClientFlags (line 111) | func bindClientFlags(fs *flag.FlagSet, gofs *goflag.FlagSet, overrides *...
function initUsualKubectlFlags (line 124) | func initUsualKubectlFlags(overrides *clientcmd.ConfigOverrides, fs *fla...
function runCLI (line 129) | func runCLI(w io.Writer, cfg *config) (err error) {
function mainE (line 265) | func mainE(w io.Writer, fs *flag.FlagSet, gofs *goflag.FlagSet, args []s...
function main (line 291) | func main() {
FILE: cmd/kubeseal/main_test.go
type mockClientConfig (line 31) | type mockClientConfig struct
method Namespace (line 36) | func (m *mockClientConfig) Namespace() (string, bool, error) {
method ClientConfig (line 40) | func (m *mockClientConfig) ClientConfig() (*rest.Config, error) {
method ConfigAccess (line 44) | func (m *mockClientConfig) ConfigAccess() clientcmd.ConfigAccess {
method RawConfig (line 48) | func (m *mockClientConfig) RawConfig() (clientcmdapi.Config, error) {
function TestVersion (line 52) | func TestVersion(t *testing.T) {
function testClientConfig (line 66) | func testClientConfig() clientcmd.ClientConfig {
function testConfig (line 70) | func testConfig(flags *cliFlags) *config {
function TestMainError (line 79) | func TestMainError(t *testing.T) {
function writeTempFile (line 90) | func writeTempFile(b []byte) (string, error) {
function newTestKeyPairSingle (line 105) | func newTestKeyPairSingle(t *testing.T) (*rsa.PublicKey, *rsa.PrivateKey) {
function testingKeypairFiles (line 115) | func testingKeypairFiles(t *testing.T) (string, string, func()) {
function TestWriteToFile (line 143) | func TestWriteToFile(t *testing.T) {
function TestFailToWriteToFile (line 193) | func TestFailToWriteToFile(t *testing.T) {
function Test_runCLI (line 246) | func Test_runCLI(t *testing.T) {
type tweakedClientConfig (line 272) | type tweakedClientConfig struct
method Namespace (line 277) | func (tcc *tweakedClientConfig) Namespace() (string, bool, error) {
method ClientConfig (line 281) | func (tcc *tweakedClientConfig) ClientConfig() (*rest.Config, error) {
function trySealTestItem (line 285) | func trySealTestItem(certFilename, secretNS, secretName, secretValue str...
function TestRawSealErrors (line 311) | func TestRawSealErrors(t *testing.T) {
FILE: integration/controller_test.go
constant Timeout (line 39) | Timeout = 15 * time.Second
constant PollingInterval (line 40) | PollingInterval = "100ms"
function getData (line 43) | func getData(s *v1.Secret) map[string][]byte {
function getAnnotations (line 47) | func getAnnotations(s *v1.Secret) map[string]string {
function getLabels (line 51) | func getLabels(s *v1.Secret) map[string]string {
function getStatus (line 55) | func getStatus(ss *ssv1alpha1.SealedSecret) *ssv1alpha1.SealedSecretStat...
function getObservedGeneration (line 59) | func getObservedGeneration(ss *ssv1alpha1.SealedSecret) int64 {
function getFirstOwnerName (line 64) | func getFirstOwnerName(s *v1.Secret) string {
function getNumberOfOwners (line 68) | func getNumberOfOwners(s *v1.Secret) int {
function getSecretType (line 72) | func getSecretType(s *v1.Secret) v1.SecretType {
function getSecretImmutable (line 76) | func getSecretImmutable(s *v1.Secret) bool {
function compareLastTimes (line 80) | func compareLastTimes(ss *ssv1alpha1.SealedSecret) bool {
function fetchKeys (line 89) | func fetchKeys(ctx context.Context, c corev1.SecretsGetter) (map[string]...
function containEventWithReason (line 127) | func containEventWithReason(matcher types.GomegaMatcher) types.GomegaMat...
function containEventWithMessage (line 137) | func containEventWithMessage(matcher types.GomegaMatcher) types.GomegaMa...
FILE: integration/integration_suite_test.go
function clusterConfigOrDie (line 38) | func clusterConfigOrDie() *rest.Config {
function createNsOrDie (line 54) | func createNsOrDie(ctx context.Context, c corev1.NamespacesGetter, ns st...
function deleteNsOrDie (line 70) | func deleteNsOrDie(ctx context.Context, c corev1.NamespacesGetter, ns st...
function containsString (line 77) | func containsString(haystack []string, needle string) bool {
function runKubeseal (line 86) | func runKubeseal(flags []string, input io.Reader, output io.Writer, opts...
type interruptableReader (line 96) | type interruptableReader struct
method Read (line 101) | func (r interruptableReader) Read(p []byte) (int, error) {
function streamLog (line 112) | func streamLog(ctx context.Context, c corev1.PodsGetter, namespace, name...
function runController (line 131) | func runController(flags []string, input io.Reader, output io.Writer) er...
type runAppOpt (line 135) | type runAppOpt
type runAppOpts (line 137) | type runAppOpts struct
function runAppWithStderr (line 141) | func runAppWithStderr(w io.Writer) runAppOpt {
function runApp (line 145) | func runApp(app string, flags []string, input io.Reader, output io.Write...
function runKubesealWith (line 162) | func runKubesealWith(flags []string, input runtime.Object, opts ...runAp...
function TestE2e (line 187) | func TestE2e(t *testing.T) {
FILE: pkg/apis/sealedsecrets/v1alpha1/register.go
constant GroupName (line 12) | GroupName = "bitnami.com"
function init (line 24) | func init() {
function Resource (line 29) | func Resource(resource string) schema.GroupResource {
function addKnownTypes (line 33) | func addKnownTypes(scheme *runtime.Scheme) error {
FILE: pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go
constant StrictScope (line 25) | StrictScope SealingScope = iota
constant NamespaceWideScope (line 27) | NamespaceWideScope
constant ClusterWideScope (line 29) | ClusterWideScope
constant DefaultScope (line 32) | DefaultScope = StrictScope
function init (line 42) | func init() {
type SealedSecretExpansion (line 50) | type SealedSecretExpansion interface
type SealingScope (line 56) | type SealingScope
method String (line 58) | func (s *SealingScope) String() string {
method Set (line 71) | func (s *SealingScope) Set(v string) error {
method Type (line 88) | func (s *SealingScope) Type() string { return "string" }
function EncryptionLabel (line 91) | func EncryptionLabel(namespace, name string, scope SealingScope) []byte {
function labelFor (line 107) | func labelFor(o metav1.Object) []byte {
function SecretScope (line 112) | func SecretScope(o metav1.Object) SealingScope {
method Scope (line 123) | func (s *SealedSecret) Scope() SealingScope {
function NewSealedSecretV1 (line 131) | func NewSealedSecretV1(codecs runtimeserializer.CodecFactory, pubKey *rs...
function UpdateScopeAnnotations (line 173) | func UpdateScopeAnnotations(anno map[string]string, scope SealingScope) ...
function StripLastAppliedAnnotations (line 193) | func StripLastAppliedAnnotations(annotations map[string]string) {
function NewSealedSecret (line 209) | func NewSealedSecret(codecs runtimeserializer.CodecFactory, pubKey *rsa....
method Unseal (line 266) | func (s *SealedSecret) Unseal(codecs runtimeserializer.CodecFactory, pri...
FILE: pkg/apis/sealedsecrets/v1alpha1/sealedsecret_test.go
function TestSealingScope (line 32) | func TestSealingScope(t *testing.T) {
function TestEncryptionLabel (line 67) | func TestEncryptionLabel(t *testing.T) {
function TestLabel (line 87) | func TestLabel(t *testing.T) {
function TestClusterWide (line 100) | func TestClusterWide(t *testing.T) {
function TestNamespaceWide (line 116) | func TestNamespaceWide(t *testing.T) {
function TestClusterAndNamespaceWide (line 132) | func TestClusterAndNamespaceWide(t *testing.T) {
function TestSerialize (line 149) | func TestSerialize(t *testing.T) {
function testRand (line 178) | func testRand() io.Reader {
function generateTestKey (line 182) | func generateTestKey(t *testing.T, rand io.Reader, bits int) (*rsa.Priva...
function TestSealRoundTrip (line 195) | func TestSealRoundTrip(t *testing.T) {
function TestSealRoundTripStringDataConversion (line 218) | func TestSealRoundTripStringDataConversion(t *testing.T) {
function TestSealRoundTripWithClusterWide (line 256) | func TestSealRoundTripWithClusterWide(t *testing.T) {
function TestSealRoundTripWithMisMatchClusterWide (line 282) | func TestSealRoundTripWithMisMatchClusterWide(t *testing.T) {
function TestSealRoundTripWithNamespaceWide (line 306) | func TestSealRoundTripWithNamespaceWide(t *testing.T) {
function TestSealRoundTripWithMisMatchNamespaceWide (line 332) | func TestSealRoundTripWithMisMatchNamespaceWide(t *testing.T) {
function TestSealRoundTripTemplateData (line 356) | func TestSealRoundTripTemplateData(t *testing.T) {
function TestTemplateWithoutEncryptedData (line 394) | func TestTemplateWithoutEncryptedData(t *testing.T) {
function TestSkipSetOwnerReference (line 413) | func TestSkipSetOwnerReference(t *testing.T) {
function TestSealMetadataPreservation (line 470) | func TestSealMetadataPreservation(t *testing.T) {
function TestUnsealingV1Format (line 524) | func TestUnsealingV1Format(t *testing.T) {
function TestRejectBothEncryptedDataAndDeprecatedV1Data (line 560) | func TestRejectBothEncryptedDataAndDeprecatedV1Data(t *testing.T) {
function TestInvalidBase64 (line 587) | func TestInvalidBase64(t *testing.T) {
function sealSecret (line 618) | func sealSecret(t *testing.T, secret *v1.Secret, newSealedSecret func(se...
function testWithAcceptDeprecatedV1Data (line 635) | func testWithAcceptDeprecatedV1Data(acceptDeprecated bool, inner func(t ...
FILE: pkg/apis/sealedsecrets/v1alpha1/types.go
constant SealedSecretName (line 12) | SealedSecretName = "sealed-secret." + GroupName
constant SealedSecretPlural (line 14) | SealedSecretPlural = "sealedsecrets"
constant annoNs (line 17) | annoNs = "sealedsecrets." + GroupName + "/"
constant SealedSecretClusterWideAnnotation (line 21) | SealedSecretClusterWideAnnotation = annoNs + "cluster-wide"
constant SealedSecretNamespaceWideAnnotation (line 25) | SealedSecretNamespaceWideAnnotation = annoNs + "namespace-wide"
constant SealedSecretManagedAnnotation (line 29) | SealedSecretManagedAnnotation = annoNs + "managed"
constant SealedSecretPatchAnnotation (line 33) | SealedSecretPatchAnnotation = annoNs + "patch"
constant SealedSecretSkipSetOwnerReferencesAnnotation (line 37) | SealedSecretSkipSetOwnerReferencesAnnotation = annoNs + "skip-set-owner-...
type SecretTemplateSpec (line 42) | type SecretTemplateSpec struct
type SealedSecretSpec (line 68) | type SealedSecretSpec struct
type SealedSecretEncryptedData (line 80) | type SealedSecretEncryptedData
method UnmarshalJSON (line 82) | func (s *SealedSecretEncryptedData) UnmarshalJSON(data []byte) error {
type SealedSecretConditionType (line 92) | type SealedSecretConditionType
constant SealedSecretSynced (line 96) | SealedSecretSynced SealedSecretConditionType = "Synced"
type SealedSecretCondition (line 100) | type SealedSecretCondition struct
type SealedSecretStatus (line 118) | type SealedSecretStatus struct
type SealedSecret (line 140) | type SealedSecret struct
type SealedSecretList (line 152) | type SealedSecretList struct
type ByCreationTimestamp (line 160) | type ByCreationTimestamp
method Len (line 162) | func (s ByCreationTimestamp) Len() int {
method Swap (line 166) | func (s ByCreationTimestamp) Swap(i, j int) {
method Less (line 170) | func (s ByCreationTimestamp) Less(i, j int) bool {
FILE: pkg/apis/sealedsecrets/v1alpha1/zz_generated.deepcopy.go
method DeepCopyInto (line 13) | func (in ByCreationTimestamp) DeepCopyInto(out *ByCreationTimestamp) {
method DeepCopy (line 25) | func (in ByCreationTimestamp) DeepCopy() ByCreationTimestamp {
method DeepCopyInto (line 35) | func (in *SealedSecret) DeepCopyInto(out *SealedSecret) {
method DeepCopy (line 49) | func (in *SealedSecret) DeepCopy() *SealedSecret {
method DeepCopyObject (line 59) | func (in *SealedSecret) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 67) | func (in *SealedSecretCondition) DeepCopyInto(out *SealedSecretCondition) {
method DeepCopy (line 75) | func (in *SealedSecretCondition) DeepCopy() *SealedSecretCondition {
method DeepCopyInto (line 85) | func (in SealedSecretEncryptedData) DeepCopyInto(out *SealedSecretEncryp...
method DeepCopy (line 97) | func (in SealedSecretEncryptedData) DeepCopy() SealedSecretEncryptedData {
method DeepCopyInto (line 107) | func (in *SealedSecretList) DeepCopyInto(out *SealedSecretList) {
method DeepCopy (line 122) | func (in *SealedSecretList) DeepCopy() *SealedSecretList {
method DeepCopyObject (line 132) | func (in *SealedSecretList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 140) | func (in *SealedSecretSpec) DeepCopyInto(out *SealedSecretSpec) {
method DeepCopy (line 159) | func (in *SealedSecretSpec) DeepCopy() *SealedSecretSpec {
method DeepCopyInto (line 169) | func (in *SealedSecretStatus) DeepCopyInto(out *SealedSecretStatus) {
method DeepCopy (line 182) | func (in *SealedSecretStatus) DeepCopy() *SealedSecretStatus {
method DeepCopyInto (line 192) | func (in *SecretTemplateSpec) DeepCopyInto(out *SecretTemplateSpec) {
method DeepCopy (line 211) | func (in *SecretTemplateSpec) DeepCopy() *SecretTemplateSpec {
FILE: pkg/buildinfo/version.go
constant DefaultVersion (line 6) | DefaultVersion = "UNKNOWN"
function FallbackVersion (line 9) | func FallbackVersion(v *string, unchanged string) {
FILE: pkg/client/clientset/versioned/clientset.go
type Interface (line 15) | type Interface interface
type Clientset (line 21) | type Clientset struct
method BitnamiV1alpha1 (line 27) | func (c *Clientset) BitnamiV1alpha1() bitnamiv1alpha1.BitnamiV1alpha1I...
method Discovery (line 32) | func (c *Clientset) Discovery() discovery.DiscoveryInterface {
function NewForConfig (line 44) | func NewForConfig(c *rest.Config) (*Clientset, error) {
function NewForConfigAndClient (line 64) | func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Cl...
function NewForConfigOrDie (line 89) | func NewForConfigOrDie(c *rest.Config) *Clientset {
function New (line 98) | func New(c rest.Interface) *Clientset {
FILE: pkg/client/clientset/versioned/fake/clientset_generated.go
function NewSimpleClientset (line 20) | func NewSimpleClientset(objects ...runtime.Object) *Clientset {
type Clientset (line 47) | type Clientset struct
method Discovery (line 53) | func (c *Clientset) Discovery() discovery.DiscoveryInterface {
method Tracker (line 57) | func (c *Clientset) Tracker() testing.ObjectTracker {
method BitnamiV1alpha1 (line 67) | func (c *Clientset) BitnamiV1alpha1() bitnamiv1alpha1.BitnamiV1alpha1I...
FILE: pkg/client/clientset/versioned/fake/register.go
function init (line 37) | func init() {
FILE: pkg/client/clientset/versioned/scheme/register.go
function init (line 37) | func init() {
FILE: pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/fake/fake_sealedsecret.go
type FakeSealedSecrets (line 17) | type FakeSealedSecrets struct
method Get (line 27) | func (c *FakeSealedSecrets) Get(ctx context.Context, name string, opti...
method List (line 38) | func (c *FakeSealedSecrets) List(ctx context.Context, opts v1.ListOpti...
method Watch (line 60) | func (c *FakeSealedSecrets) Watch(ctx context.Context, opts v1.ListOpt...
method Create (line 67) | func (c *FakeSealedSecrets) Create(ctx context.Context, sealedSecret *...
method Update (line 78) | func (c *FakeSealedSecrets) Update(ctx context.Context, sealedSecret *...
method UpdateStatus (line 90) | func (c *FakeSealedSecrets) UpdateStatus(ctx context.Context, sealedSe...
method Delete (line 101) | func (c *FakeSealedSecrets) Delete(ctx context.Context, name string, o...
method DeleteCollection (line 109) | func (c *FakeSealedSecrets) DeleteCollection(ctx context.Context, opts...
method Patch (line 117) | func (c *FakeSealedSecrets) Patch(ctx context.Context, name string, pt...
FILE: pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/fake/fake_sealedsecrets_client.go
type FakeBitnamiV1alpha1 (line 11) | type FakeBitnamiV1alpha1 struct
method SealedSecrets (line 15) | func (c *FakeBitnamiV1alpha1) SealedSecrets(namespace string) v1alpha1...
method RESTClient (line 21) | func (c *FakeBitnamiV1alpha1) RESTClient() rest.Interface {
FILE: pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/generated_expansion.go
type SealedSecretExpansion (line 5) | type SealedSecretExpansion interface
FILE: pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/sealedsecret.go
type SealedSecretsGetter (line 19) | type SealedSecretsGetter interface
type SealedSecretInterface (line 24) | type SealedSecretInterface interface
type sealedSecrets (line 38) | type sealedSecrets struct
method Get (line 52) | func (c *sealedSecrets) Get(ctx context.Context, name string, options ...
method List (line 65) | func (c *sealedSecrets) List(ctx context.Context, opts v1.ListOptions)...
method Watch (line 82) | func (c *sealedSecrets) Watch(ctx context.Context, opts v1.ListOptions...
method Create (line 97) | func (c *sealedSecrets) Create(ctx context.Context, sealedSecret *v1al...
method Update (line 110) | func (c *sealedSecrets) Update(ctx context.Context, sealedSecret *v1al...
method UpdateStatus (line 125) | func (c *sealedSecrets) UpdateStatus(ctx context.Context, sealedSecret...
method Delete (line 140) | func (c *sealedSecrets) Delete(ctx context.Context, name string, opts ...
method DeleteCollection (line 151) | func (c *sealedSecrets) DeleteCollection(ctx context.Context, opts v1....
method Patch (line 167) | func (c *sealedSecrets) Patch(ctx context.Context, name string, pt typ...
function newSealedSecrets (line 44) | func newSealedSecrets(c *BitnamiV1alpha1Client, namespace string) *seale...
FILE: pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/sealedsecrets_client.go
type BitnamiV1alpha1Interface (line 13) | type BitnamiV1alpha1Interface interface
type BitnamiV1alpha1Client (line 19) | type BitnamiV1alpha1Client struct
method SealedSecrets (line 23) | func (c *BitnamiV1alpha1Client) SealedSecrets(namespace string) Sealed...
method RESTClient (line 86) | func (c *BitnamiV1alpha1Client) RESTClient() rest.Interface {
function NewForConfig (line 30) | func NewForConfig(c *rest.Config) (*BitnamiV1alpha1Client, error) {
function NewForConfigAndClient (line 44) | func NewForConfigAndClient(c *rest.Config, h *http.Client) (*BitnamiV1al...
function NewForConfigOrDie (line 58) | func NewForConfigOrDie(c *rest.Config) *BitnamiV1alpha1Client {
function New (line 67) | func New(c rest.Interface) *BitnamiV1alpha1Client {
function setConfigDefaults (line 71) | func setConfigDefaults(config *rest.Config) error {
FILE: pkg/client/informers/externalversions/factory.go
type SharedInformerOption (line 20) | type SharedInformerOption
type sharedInformerFactory (line 22) | type sharedInformerFactory struct
method Start (line 108) | func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {
method Shutdown (line 132) | func (f *sharedInformerFactory) Shutdown() {
method WaitForCacheSync (line 141) | func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{...
method InformerFor (line 164) | func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFun...
method Bitnami (line 243) | func (f *sharedInformerFactory) Bitnami() sealedsecrets.Interface {
function WithCustomResyncConfig (line 43) | func WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) Sh...
function WithTweakListOptions (line 53) | func WithTweakListOptions(tweakListOptions internalinterfaces.TweakListO...
function WithNamespace (line 61) | func WithNamespace(namespace string) SharedInformerOption {
function WithTransform (line 69) | func WithTransform(transform cache.TransformFunc) SharedInformerOption {
function NewSharedInformerFactory (line 77) | func NewSharedInformerFactory(client versioned.Interface, defaultResync ...
function NewFilteredSharedInformerFactory (line 85) | func NewFilteredSharedInformerFactory(client versioned.Interface, defaul...
function NewSharedInformerFactoryWithOptions (line 90) | func NewSharedInformerFactoryWithOptions(client versioned.Interface, def...
type SharedInformerFactory (line 210) | type SharedInformerFactory interface
FILE: pkg/client/informers/externalversions/generic.go
type GenericInformer (line 15) | type GenericInformer interface
type genericInformer (line 20) | type genericInformer struct
method Informer (line 26) | func (f *genericInformer) Informer() cache.SharedIndexInformer {
method Lister (line 31) | func (f *genericInformer) Lister() cache.GenericLister {
method ForResource (line 37) | func (f *sharedInformerFactory) ForResource(resource schema.GroupVersion...
FILE: pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go
type NewInformerFunc (line 15) | type NewInformerFunc
type SharedInformerFactory (line 18) | type SharedInformerFactory interface
type TweakListOptionsFunc (line 24) | type TweakListOptionsFunc
FILE: pkg/client/informers/externalversions/sealedsecrets/interface.go
type Interface (line 11) | type Interface interface
type group (line 16) | type group struct
method V1alpha1 (line 28) | func (g *group) V1alpha1() v1alpha1.Interface {
function New (line 23) | func New(f internalinterfaces.SharedInformerFactory, namespace string, t...
FILE: pkg/client/informers/externalversions/sealedsecrets/v1alpha1/interface.go
type Interface (line 10) | type Interface interface
type version (line 15) | type version struct
method SealedSecrets (line 27) | func (v *version) SealedSecrets() SealedSecretInformer {
function New (line 22) | func New(f internalinterfaces.SharedInformerFactory, namespace string, t...
FILE: pkg/client/informers/externalversions/sealedsecrets/v1alpha1/sealedsecret.go
type SealedSecretInformer (line 21) | type SealedSecretInformer interface
type sealedSecretInformer (line 26) | type sealedSecretInformer struct
method defaultInformer (line 64) | func (f *sealedSecretInformer) defaultInformer(client versioned.Interf...
method Informer (line 68) | func (f *sealedSecretInformer) Informer() cache.SharedIndexInformer {
method Lister (line 72) | func (f *sealedSecretInformer) Lister() v1alpha1.SealedSecretLister {
function NewSealedSecretInformer (line 35) | func NewSealedSecretInformer(client versioned.Interface, namespace strin...
function NewFilteredSealedSecretInformer (line 42) | func NewFilteredSealedSecretInformer(client versioned.Interface, namespa...
FILE: pkg/client/listers/sealedsecrets/v1alpha1/expansion_generated.go
type SealedSecretListerExpansion (line 7) | type SealedSecretListerExpansion interface
type SealedSecretNamespaceListerExpansion (line 11) | type SealedSecretNamespaceListerExpansion interface
FILE: pkg/client/listers/sealedsecrets/v1alpha1/sealedsecret.go
type SealedSecretLister (line 14) | type SealedSecretLister interface
type sealedSecretLister (line 24) | type sealedSecretLister struct
method List (line 34) | func (s *sealedSecretLister) List(selector labels.Selector) (ret []*v1...
method SealedSecrets (line 42) | func (s *sealedSecretLister) SealedSecrets(namespace string) SealedSec...
function NewSealedSecretLister (line 29) | func NewSealedSecretLister(indexer cache.Indexer) SealedSecretLister {
type SealedSecretNamespaceLister (line 48) | type SealedSecretNamespaceLister interface
type sealedSecretNamespaceLister (line 60) | type sealedSecretNamespaceLister struct
method List (line 66) | func (s sealedSecretNamespaceLister) List(selector labels.Selector) (r...
method Get (line 74) | func (s sealedSecretNamespaceLister) Get(name string) (*v1alpha1.Seale...
FILE: pkg/controller/controller.go
constant SuccessUnsealed (line 43) | SuccessUnsealed = "Unsealed"
constant ErrUpdateFailed (line 49) | ErrUpdateFailed = "ErrUpdateFailed"
constant ErrUnsealFailed (line 55) | ErrUnsealFailed = "ErrUnsealFailed"
type Controller (line 66) | type Controller struct
method HasSynced (line 246) | func (c *Controller) HasSynced() bool {
method LastSyncResourceVersion (line 260) | func (c *Controller) LastSyncResourceVersion() string {
method Run (line 267) | func (c *Controller) Run(stopCh <-chan struct{}) {
method runWorker (line 292) | func (c *Controller) runWorker(ctx context.Context) {
method processNextItem (line 298) | func (c *Controller) processNextItem(ctx context.Context) bool {
method unseal (line 327) | func (c *Controller) unseal(ctx context.Context, key string) (unsealEr...
method updateSealedSecretStatus (line 468) | func (c *Controller) updateSealedSecretStatus(ctx context.Context, sse...
method AttemptUnseal (line 539) | func (c *Controller) AttemptUnseal(content []byte) (bool, error) {
method Rotate (line 563) | func (c *Controller) Rotate(content []byte) ([]byte, error) {
method attemptUnseal (line 597) | func (c *Controller) attemptUnseal(ss *ssv1alpha1.SealedSecret) (*core...
function NewController (line 81) | func NewController(
function watchKeySecrets (line 137) | func watchKeySecrets(kinformer informers.SharedInformerFactory, registry...
function watchSealedSecrets (line 154) | func watchSealedSecrets(ssinformer ssinformer.SharedInformerFactory, que...
function sealedSecretChanged (line 189) | func sealedSecretChanged(oldObj, newObj interface{}) bool {
function watchSecrets (line 201) | func watchSecrets(sinformer informers.SharedInformerFactory, ssclientset...
function convertSealedSecret (line 453) | func convertSealedSecret(obj any) (*ssv1alpha1.SealedSecret, error) {
function updateSealedSecretsStatusConditions (line 488) | func updateSealedSecretsStatusConditions(st *ssv1alpha1.SealedSecretStat...
function isAnnotatedToBeManaged (line 522) | func isAnnotatedToBeManaged(secret *corev1.Secret) bool {
function isAnnotatedToBePatched (line 526) | func isAnnotatedToBePatched(secret *corev1.Secret) bool {
function isImmutableError (line 530) | func isImmutableError(err error) bool {
function formatImmutableError (line 534) | func formatImmutableError(key string) string {
function attemptUnseal (line 601) | func attemptUnseal(ss *ssv1alpha1.SealedSecret, keyRegistry *KeyRegistry...
FILE: pkg/controller/controller_test.go
function TestIsAnnotatedToBePatched (line 26) | func TestIsAnnotatedToBePatched(t *testing.T) {
function TestIsAnnotatedToBeManaged (line 58) | func TestIsAnnotatedToBeManaged(t *testing.T) {
function TestConvert2SealedSecretBadType (line 90) | func TestConvert2SealedSecretBadType(t *testing.T) {
function TestConvert2SealedSecretFills (line 99) | func TestConvert2SealedSecretFills(t *testing.T) {
function TestConvert2SealedSecretPassThrough (line 113) | func TestConvert2SealedSecretPassThrough(t *testing.T) {
function TestDefaultConfigDoesNotSkipRecreate (line 128) | func TestDefaultConfigDoesNotSkipRecreate(t *testing.T) {
function TestSkipRecreateConfigDoesSkipIt (line 148) | func TestSkipRecreateConfigDoesSkipIt(t *testing.T) {
function TestEmptyStatusSendsUpdate (line 168) | func TestEmptyStatusSendsUpdate(t *testing.T) {
function TestStatusUpdateSendsUpdate (line 176) | func TestStatusUpdateSendsUpdate(t *testing.T) {
function TestSameStatusNoUpdate (line 199) | func TestSameStatusNoUpdate(t *testing.T) {
function TestSyncedSecretWithErrorSendsUpdate (line 212) | func TestSyncedSecretWithErrorSendsUpdate(t *testing.T) {
function testKeyRegister (line 225) | func testKeyRegister(t *testing.T, ctx context.Context, clientset kubern...
function prettyEncoder (line 238) | func prettyEncoder(codecs runtimeserializer.CodecFactory, mediaType stri...
function TestRotate (line 253) | func TestRotate(t *testing.T) {
function TestRotateKeepScope (line 324) | func TestRotateKeepScope(t *testing.T) {
FILE: pkg/controller/funcs.go
function ScheduleJobWithTrigger (line 12) | func ScheduleJobWithTrigger(initialDelay, period time.Duration, job func...
constant kubeChars (line 33) | kubeChars = "abcdefghijklmnopqrstuvwxyz0123456789-"
constant maxNameLength (line 34) | maxNameLength = 245
function validateKeyPrefix (line 37) | func validateKeyPrefix(name string) (string, error) {
function removeDuplicates (line 49) | func removeDuplicates(strSlice []string) []string {
FILE: pkg/controller/keyregistry.go
type Key (line 19) | type Key struct
type KeyRegistry (line 27) | type KeyRegistry struct
method generateKey (line 50) | func (kr *KeyRegistry) generateKey(ctx context.Context, validFor time....
method registerNewKey (line 69) | func (kr *KeyRegistry) registerNewKey(keyName string, privKey *rsa.Pri...
method latestPrivateKey (line 90) | func (kr *KeyRegistry) latestPrivateKey() *rsa.PrivateKey {
method getCert (line 95) | func (kr *KeyRegistry) getCert() (*x509.Certificate, error) {
function NewKeyRegistry (line 39) | func NewKeyRegistry(client kubernetes.Interface, namespace, keyPrefix, k...
FILE: pkg/controller/keyregistry_test.go
function TestRegisterNewKey (line 8) | func TestRegisterNewKey(t *testing.T) {
FILE: pkg/controller/keys.go
constant SealedSecretsKeyLabel (line 21) | SealedSecretsKeyLabel = "sealedsecrets.bitnami.com/sealed-secrets-key"
function generatePrivateKeyAndCert (line 28) | func generatePrivateKeyAndCert(keySize int, validFor time.Duration, cn s...
function readKey (line 32) | func readKey(secret *v1.Secret) (*rsa.PrivateKey, []*x509.Certificate, e...
type writeKeyOpt (line 49) | type writeKeyOpt
type writeKeyOpts (line 50) | type writeKeyOpts struct
function writeKeyWithCreationTime (line 52) | func writeKeyWithCreationTime(t metav1.Time) writeKeyOpt {
function writeKey (line 56) | func writeKey(ctx context.Context, client kubernetes.Interface, key *rsa...
FILE: pkg/controller/keys_test.go
function testRand (line 26) | func testRand() io.Reader {
function signKey (line 30) | func signKey(r io.Reader, key *rsa.PrivateKey) (*x509.Certificate, error) {
function signKeyWithNotBefore (line 34) | func signKeyWithNotBefore(r io.Reader, key *rsa.PrivateKey, notBefore ti...
function TestReadKey (line 38) | func TestReadKey(t *testing.T) {
function TestWriteKey (line 77) | func TestWriteKey(t *testing.T) {
FILE: pkg/controller/main.go
type Flags (line 37) | type Flags struct
function initKeyPrefix (line 65) | func initKeyPrefix(keyPrefix string) (string, error) {
function initKeyRegistry (line 69) | func initKeyRegistry(ctx context.Context, client kubernetes.Interface, r...
function registryNewKeyWithSecret (line 99) | func registryNewKeyWithSecret(secret *v1.Secret, keyRegistry *KeyRegistr...
function getKeyOrderPriority (line 115) | func getKeyOrderPriority(keyOrderPriority string, cert *x509.Certificate...
function myNamespace (line 127) | func myNamespace() string {
function initKeyRenewal (line 145) | func initKeyRenewal(ctx context.Context, registry *KeyRegistry, period, ...
function Main (line 174) | func Main(f *Flags, version string) error {
function prepareController (line 299) | func prepareController(
function initSecretInformerFactory (line 317) | func initSecretInformerFactory(clientset kubernetes.Interface, ns string...
FILE: pkg/controller/main_test.go
function findAction (line 23) | func findAction(fake *fake.Clientset, verb, resource string) ktesting.Ac...
function hasAction (line 32) | func hasAction(fake *fake.Clientset, verb, resource string) bool {
function generateNameReactor (line 38) | func generateNameReactor(action ktesting.Action) (handled bool, ret runt...
function TestInitKeyRegistry (line 46) | func TestInitKeyRegistry(t *testing.T) {
function TestInitKeyRotation (line 81) | func TestInitKeyRotation(t *testing.T) {
function TestInitKeyRotationTick (line 122) | func TestInitKeyRotationTick(t *testing.T) {
function TestReuseKey (line 160) | func TestReuseKey(t *testing.T) {
function TestRenewStaleKey (line 199) | func TestRenewStaleKey(t *testing.T) {
function TestKeyCutoff (line 259) | func TestKeyCutoff(t *testing.T) {
function writeLegacyKey (line 307) | func writeLegacyKey(ctx context.Context, client kubernetes.Interface, ke...
function TestLegacySecret (line 331) | func TestLegacySecret(t *testing.T) {
FILE: pkg/controller/metrics.go
constant metricNamespace (line 14) | metricNamespace string = "sealed_secrets_controller"
constant labelNamespace (line 17) | labelNamespace = "namespace"
constant labelName (line 18) | labelName = "name"
constant labelCondition (line 19) | labelCondition = "condition"
constant labelInstance (line 20) | labelInstance = "ss_app_kubernetes_io_instance"
function registerMetrics (line 80) | func registerMetrics(version string) {
function ObserveCondition (line 100) | func ObserveCondition(ssecret *v1alpha1.SealedSecret) {
function UnregisterCondition (line 115) | func UnregisterCondition(ssecret *v1alpha1.SealedSecret) {
function Instrument (line 125) | func Instrument(path string, h http.Handler) http.Handler {
FILE: pkg/controller/metrics_test.go
function setupTestMetrics (line 14) | func setupTestMetrics() *prometheus.Registry {
function TestObserveCondition (line 35) | func TestObserveCondition(t *testing.T) {
function TestUnregisterCondition (line 87) | func TestUnregisterCondition(t *testing.T) {
function TestUnregisterConditionWithNilStatus (line 152) | func TestUnregisterConditionWithNilStatus(t *testing.T) {
function TestObserveConditionWithNilStatus (line 165) | func TestObserveConditionWithNilStatus(t *testing.T) {
function TestUnregisterConditionWithMissingLabel (line 178) | func TestUnregisterConditionWithMissingLabel(t *testing.T) {
function getLabel (line 225) | func getLabel(labels []*dto.LabelPair, name string) string {
FILE: pkg/controller/server.go
type certProvider (line 28) | type certProvider
type secretChecker (line 29) | type secretChecker
type secretRotator (line 30) | type secretRotator
function httpserver (line 36) | func httpserver(cp certProvider, sc secretChecker, sr secretRotator, bur...
function httpserverMetrics (line 122) | func httpserverMetrics() *http.Server {
function rateLimiter (line 142) | func rateLimiter(burst int, rate int) throttled.HTTPRateLimiter {
FILE: pkg/controller/server_test.go
type testCertStore (line 17) | type testCertStore struct
method getCert (line 22) | func (c *testCertStore) getCert() ([]*x509.Certificate, error) {
method setCert (line 28) | func (c *testCertStore) setCert(cert *x509.Certificate) {
function shutdownServer (line 34) | func shutdownServer(server *http.Server, t *testing.T) {
function TestHttpCert (line 41) | func TestHttpCert(t *testing.T) {
FILE: pkg/controller/signal_notwin.go
function initKeyGenSignalListener (line 12) | func initKeyGenSignalListener(trigger func()) {
FILE: pkg/controller/signal_windows.go
function initKeyGenSignalListener (line 3) | func initKeyGenSignalListener(trigger func()) {}
FILE: pkg/crypto/crypto.go
constant sessionKeyBytes (line 17) | sessionKeyBytes = 32
function PublicKeyFingerprint (line 24) | func PublicKeyFingerprint(rp *rsa.PublicKey) (string, error) {
function HybridEncrypt (line 36) | func HybridEncrypt(rnd io.Reader, pubKey *rsa.PublicKey, plaintext, labe...
function HybridDecrypt (line 77) | func HybridDecrypt(rnd io.Reader, privKeys map[string]*rsa.PrivateKey, c...
function singleDecrypt (line 88) | func singleDecrypt(rnd io.Reader, privKey *rsa.PrivateKey, ciphertext, l...
FILE: pkg/crypto/keys.go
function GeneratePrivateKeyAndCert (line 14) | func GeneratePrivateKeyAndCert(keySize int, validFor time.Duration, cn s...
function SignKey (line 28) | func SignKey(r io.Reader, key *rsa.PrivateKey, validFor time.Duration, c...
function SignKeyWithNotBefore (line 36) | func SignKeyWithNotBefore(r io.Reader, key *rsa.PrivateKey, notBefore ti...
FILE: pkg/crypto/keys_test.go
function testRand (line 13) | func testRand() io.Reader {
function TestSignKey (line 17) | func TestSignKey(t *testing.T) {
FILE: pkg/flagenv/flagenv.go
function SetFlagsFromEnv (line 33) | func SetFlagsFromEnv(prefix string, fs *flag.FlagSet) {
FILE: pkg/flagenv/flagenv_test.go
function TestFlagenv (line 12) | func TestFlagenv(t *testing.T) {
FILE: pkg/kubeseal/kubeseal.go
type ClientConfig (line 37) | type ClientConfig interface
function ParseKey (line 42) | func ParseKey(r io.Reader) (*rsa.PublicKey, error) {
function prettyEncoder (line 70) | func prettyEncoder(codecs runtimeserializer.CodecFactory, mediaType stri...
function isFilename (line 85) | func isFilename(name string) (bool, error) {
function getServicePortName (line 98) | func getServicePortName(ctx context.Context, client corev1.CoreV1Interfa...
function openCertLocal (line 108) | func openCertLocal(filenameOrURI string) (io.ReadCloser, error) {
function openCertURI (line 119) | func openCertURI(uri string) (io.ReadCloser, error) {
function openCertCluster (line 141) | func openCertCluster(ctx context.Context, c corev1.CoreV1Interface, name...
function OpenCert (line 153) | func OpenCert(ctx context.Context, clientConfig ClientConfig, controller...
function readSecrets (line 170) | func readSecrets(r io.Reader) ([]*v1.Secret, error) {
function readSealedSecrets (line 195) | func readSealedSecrets(r io.Reader) ([]*ssv1alpha1.SealedSecret, error) {
function Seal (line 223) | func Seal(clientConfig ClientConfig, outputFormat string, in io.Reader, ...
function ValidateSealedSecret (line 287) | func ValidateSealedSecret(ctx context.Context, clientConfig ClientConfig...
function ReEncryptSealedSecret (line 330) | func ReEncryptSealedSecret(ctx context.Context, clientConfig ClientConfi...
function resourceOutput (line 391) | func resourceOutput(out io.Writer, outputFormat string, codecs runtimese...
function sealedSecretOutput (line 418) | func sealedSecretOutput(out io.Writer, outputFormat string, codecs runti...
function decodeSealedSecret (line 422) | func decodeSealedSecret(codecs runtimeserializer.CodecFactory, b []byte)...
function SealMergingInto (line 430) | func SealMergingInto(clientConfig ClientConfig, outputFormat string, in ...
function EncryptSecretItem (line 495) | func EncryptSecretItem(w io.Writer, secretName, ns string, data []byte, ...
function ParseFromFile (line 509) | func ParseFromFile(s string) (string, string) {
function readPrivKeysFromFile (line 517) | func readPrivKeysFromFile(filename string) ([]*rsa.PrivateKey, error) {
function readPrivKey (line 566) | func readPrivKey(filename string) (*rsa.PrivateKey, error) {
function parsePrivKey (line 574) | func parsePrivKey(b []byte) (*rsa.PrivateKey, error) {
function readPrivKeys (line 587) | func readPrivKeys(filenames []string) (map[string]*rsa.PrivateKey, error) {
function UnsealSealedSecret (line 606) | func UnsealSealedSecret(w io.Writer, in io.Reader, privKeysFilenames []s...
FILE: pkg/kubeseal/kubeseal_test.go
constant testCert (line 40) | testCert = `
function init (line 76) | func init() {
function tmpfile (line 84) | func tmpfile(t *testing.T, contents []byte) string {
function TestParseKey (line 98) | func TestParseKey(t *testing.T) {
function testClientConfig (line 115) | func testClientConfig() clientcmd.ClientConfig {
function TestOpenCertFile (line 121) | func TestOpenCertFile(t *testing.T) {
function TestSealWithMultiDocSecrets (line 158) | func TestSealWithMultiDocSecrets(t *testing.T) {
function TestSeal (line 248) | func TestSeal(t *testing.T) {
type mkTestSecretOpt (line 467) | type mkTestSecretOpt
type mkTestSecretOpts (line 468) | type mkTestSecretOpts struct
function withSecretName (line 474) | func withSecretName(n string) mkTestSecretOpt {
function withSecretNamespace (line 480) | func withSecretNamespace(n string) mkTestSecretOpt {
function asYAML (line 486) | func asYAML(y bool) mkTestSecretOpt {
function mkTestSecret (line 492) | func mkTestSecret(t *testing.T, key, value string, opts ...mkTestSecretO...
function mkTestSealedSecret (line 534) | func mkTestSealedSecret(t *testing.T, pubKey *rsa.PublicKey, key, value ...
function newTestKeyPair (line 547) | func newTestKeyPair(t *testing.T) (*rsa.PublicKey, map[string]*rsa.Priva...
function TestUnseal (line 563) | func TestUnseal(t *testing.T) {
function TestUnsealList (line 607) | func TestUnsealList(t *testing.T) {
function TestMergeInto (line 668) | func TestMergeInto(t *testing.T) {
function writeTempFile (line 770) | func writeTempFile(b []byte) (string, error) {
function testingKeypairFiles (line 787) | func testingKeypairFiles(t *testing.T) (string, string, func()) {
function sealTestItem (line 815) | func sealTestItem(certFilename, secretNS, secretName, secretValue string...
function TestRaw (line 838) | func TestRaw(t *testing.T) {
function newTestKeyPairSingle (line 922) | func newTestKeyPairSingle(t *testing.T) (*rsa.PublicKey, *rsa.PrivateKey) {
function TestReadPrivKeySecret (line 930) | func TestReadPrivKeySecret(t *testing.T) {
function TestReadPrivKeyPEM (line 966) | func TestReadPrivKeyPEM(t *testing.T) {
function TestNamespaceMismatchValidation (line 994) | func TestNamespaceMismatchValidation(t *testing.T) {
type mockClientConfig (line 1108) | type mockClientConfig struct
method Namespace (line 1113) | func (m *mockClientConfig) Namespace() (string, bool, error) {
method ClientConfig (line 1117) | func (m *mockClientConfig) ClientConfig() (*rest.Config, error) {
method ConfigAccess (line 1121) | func (m *mockClientConfig) ConfigAccess() clientcmd.ConfigAccess {
method RawConfig (line 1125) | func (m *mockClientConfig) RawConfig() (clientcmdapi.Config, error) {
FILE: pkg/log/log.go
type MultiStreamHandler (line 10) | type MultiStreamHandler struct
method Enabled (line 33) | func (m *MultiStreamHandler) Enabled(ctx context.Context, level slog.L...
method Handle (line 38) | func (m *MultiStreamHandler) Handle(ctx context.Context, r slog.Record...
method WithAttrs (line 45) | func (m *MultiStreamHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
method WithGroup (line 50) | func (m *MultiStreamHandler) WithGroup(string) slog.Handler {
function New (line 17) | func New(outLow, outHigh io.Writer, format string, opts *slog.HandlerOpt...
FILE: pkg/multidocyaml/multidocyaml.go
function isMultiDocumentYAML (line 10) | func isMultiDocumentYAML(src []byte) bool {
function EnsureNotMultiDoc (line 18) | func EnsureNotMultiDoc(src []byte) error {
FILE: pkg/multidocyaml/multidocyaml_test.go
function TestIsMultiDocumentYAML (line 5) | func TestIsMultiDocumentYAML(t *testing.T) {
FILE: pkg/pflagenv/flagenv.go
function SetFlagsFromEnv (line 34) | func SetFlagsFromEnv(prefix string, fs *flag.FlagSet) {
FILE: pkg/pflagenv/flagenv_test.go
function TestPflagenv (line 12) | func TestPflagenv(t *testing.T) {
FILE: site/themes/template/static/js/main.js
function mobileNavToggle (line 3) | function mobileNavToggle() {
function docsVersionToggle (line 8) | function docsVersionToggle() {
Condensed preview — 252 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (1,026K chars).
[
{
"path": ".gitattributes",
"chars": 40,
"preview": "vendor_jsonnet/ linguist-generated=true\n"
},
{
"path": ".github/CODEOWNERS",
"chars": 240,
"preview": "# These owners will be the default owners for everything in\n# the repo. Unless a later match takes precedence,\n# @alvnei"
},
{
"path": ".github/ISSUE_TEMPLATE/bug_report.md",
"chars": 806,
"preview": "---\nname: Bug report\nabout: Create a report to help us improve\ntitle: ''\nlabels: triage\nassignees: ''\n\n---\n\n<!--\n Before"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"chars": 695,
"preview": "---\nname: Feature request\nabout: Suggest an idea for this project\ntitle: ''\nlabels: triage\nassignees: ''\n\n---\n\n**Which c"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"chars": 1413,
"preview": "<!--\n Before you open the request please review the following guidelines and tips to help it be more easily integrated:\n"
},
{
"path": ".github/dependabot.yml",
"chars": 639,
"preview": "# To get started with Dependabot version updates, you'll need to specify which\n# package ecosystems to update and where "
},
{
"path": ".github/workflows/ci.yml",
"chars": 9085,
"preview": "name: CI\n\non:\n push:\n branches: [ main ]\n pull_request:\n branches: [ main ]\n\nenv:\n controller_registry: docker."
},
{
"path": ".github/workflows/cosign.pub",
"chars": 178,
"preview": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEseWNtEaI73oDVgjfLzU4eQYHE11i\nMzRSNs1TA+cTT/Lw70ckfCC/vHnO"
},
{
"path": ".github/workflows/helm-release.yaml",
"chars": 3516,
"preview": "name: Release Helm Chart and Carvel package\n\non:\n push:\n paths:\n # update this file to trigger helm chart relea"
},
{
"path": ".github/workflows/helm-vib-lint.yaml",
"chars": 665,
"preview": "name: Lint Helm Chart\non:\n workflow_dispatch:\n pull_request_target:\n branches:\n - main\n - bitnami-labs:ma"
},
{
"path": ".github/workflows/helm-vib.yaml",
"chars": 1143,
"preview": "name: Verify Helm Chart\non:\n workflow_dispatch:\n push:\n branches:\n - main\n paths:\n - 'helm/**'\n\nenv:\n"
},
{
"path": ".github/workflows/publish-release.yaml",
"chars": 1647,
"preview": "name: Publish Release\n\non:\n workflow_dispatch:\n inputs:\n chart:\n description: 'Chart version (e.g. 2.11."
},
{
"path": ".github/workflows/release.yaml",
"chars": 5491,
"preview": "name: Prepare Release\n\n# Only release when a new GH release branch is pushed\non:\n push:\n branches:\n - 'release/"
},
{
"path": ".github/workflows/stale.yml",
"chars": 1324,
"preview": "name: 'Close stale issues and PRs'\non:\n schedule:\n # Stalebot will be executed at 1:00 AM every day\n - cron: '0 1"
},
{
"path": ".gitignore",
"chars": 728,
"preview": "# Binaries for programs and plugins\n*.exe\n*.dll\n*.so\n*.dylib\n\n# Test binary, build with `go test -c`\n*.test\n\n# Output of"
},
{
"path": ".golangci.yaml",
"chars": 13174,
"preview": "# Inspired by https://gist.github.com/maratori/47a4d00457a92aa426dbd48a18776322\n\n# output configuration options\noutput:\n"
},
{
"path": ".goreleaser.yml",
"chars": 3395,
"preview": "project_name: sealed-secrets\nenv:\n - CGO_ENABLED=0\nbuilds:\n - binary: controller\n id: controller\n main: ./cmd/co"
},
{
"path": ".vib/vib-pipeline.json",
"chars": 872,
"preview": "{\n \"phases\": {\n \"package\": {\n \"context\": {\n \"resources\": {\n \"url\": \"{SHA_ARCHIVE}\",\n \""
},
{
"path": ".vib/vib-platform-verify-openshift.json",
"chars": 1242,
"preview": "{\n \"phases\": {\n \"package\": {\n \"context\": {\n \"resources\": {\n \"url\": \"{SHA_ARCHIVE}\",\n \""
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 5233,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participa"
},
{
"path": "CONTRIBUTING.md",
"chars": 3815,
"preview": "# Contributing Guidelines\n\nContributions are welcome via GitHub Pull Requests. This document outlines the process to hel"
},
{
"path": "LICENSE",
"chars": 11357,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MAINTAINERS.md",
"chars": 1009,
"preview": "# Sealed Secrets Maintainers\n\n## Maintainers\n\n| Maintainer | GitHub ID "
},
{
"path": "Makefile",
"chars": 4787,
"preview": "GO = go\nGOTESTSUM = gotestsum\nGOFMT = gofmt\nGOLANGCILINT=golangci-lint -vv\nGOSEC=gosec\n\nexport GO111MODULE = on\nGO_FLAGS"
},
{
"path": "README.md",
"chars": 46551,
"preview": "# \"Sealed Secrets\" for Kubernetes\n\n[](#Installation)\n[![]("
},
{
"path": "RELEASE-NOTES.md",
"chars": 76120,
"preview": "# Release Notes\n\nLatest release:\n\n[](https://g"
},
{
"path": "SECURITY.md",
"chars": 6379,
"preview": "# Security Release Process\n\nThe community has adopted this security disclosure and response policy to ensure we responsi"
},
{
"path": "carvel/package.yaml",
"chars": 15579,
"preview": "apiVersion: data.packaging.carvel.dev/v1alpha1\nkind: Package\nmetadata:\n name: \"sealedsecrets.bitnami.com.2.18.1\"\nspec:\n"
},
{
"path": "cmd/controller/main.go",
"chars": 5661,
"preview": "package main\n\nimport (\n\tgoflag \"flag\"\n\t\"fmt\"\n\t\"io\"\n\t\"log/slog\"\n\t\"os\"\n\t\"time\"\n\n\tflag \"github.com/spf13/pflag\"\n\n\t\"github.c"
},
{
"path": "cmd/controller/main_test.go",
"chars": 533,
"preview": "package main\n\nimport (\n\t\"bytes\"\n\tgoflag \"flag\"\n\t\"testing\"\n\n\tflag \"github.com/spf13/pflag\"\n)\n\nfunc TestVersion(t *testing"
},
{
"path": "cmd/kubeseal/main.go",
"chars": 10585,
"preview": "package main\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\n\tgoflag \"flag\"\n\n\tssv1alpha1 \"github.com/bitnami-l"
},
{
"path": "cmd/kubeseal/main_test.go",
"chars": 8093,
"preview": "package main\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"encoding/pem\"\n\tgoflag \"flag\"\n\t\"fmt\"\n\t\"io\"\n\t\"os"
},
{
"path": "contrib/prometheus-mixin/.gitignore",
"chars": 11,
"preview": "manifests/\n"
},
{
"path": "contrib/prometheus-mixin/Makefile",
"chars": 1951,
"preview": "# Prometheus Mixin Makefile\n# Heavily copied from upstream project kubenetes-mixin\n\nPROMETHEUS_IMAGE := prom/prometheus:"
},
{
"path": "contrib/prometheus-mixin/README.md",
"chars": 3987,
"preview": "# Sealed Secrets Metrics\n\nThe Sealed Secrets Controller running in Kubernetes exposes Prometheus\nmetrics on `*:8081/metr"
},
{
"path": "contrib/prometheus-mixin/alerts/alerts.libsonnet",
"chars": 82,
"preview": "// Sealed Secrets Alertmanager Alerts\n\n(import 'sealed-secrets-alerts.libsonnet')\n"
},
{
"path": "contrib/prometheus-mixin/alerts/sealed-secrets-alerts.libsonnet",
"chars": 1697,
"preview": "{\n prometheusAlerts+:: {\n groups+: [{\n name: 'sealed-secrets',\n rules: [\n // SealedSecretsErrorRate"
},
{
"path": "contrib/prometheus-mixin/config.libsonnet",
"chars": 63,
"preview": "// Sealed Secrets Prometheus Mixin Config\n{\n _config+:: {},\n}\n"
},
{
"path": "contrib/prometheus-mixin/dashboards/dashboards.libsonnet",
"chars": 153,
"preview": "// Sealed Secrets Grafana Dashboards\n\n{\n grafanaDashboards+:: {\n 'sealed-secrets-controller.json': (import 'sealed-s"
},
{
"path": "contrib/prometheus-mixin/dashboards/sealed-secrets-controller.json",
"chars": 6857,
"preview": "{\n \"annotations\": {\n \"list\": [\n {\n \"builtIn\": 1,\n \"datasource\": \"-- Grafana --\",\n \"enable\""
},
{
"path": "contrib/prometheus-mixin/lib/alerts.jsonnet",
"chars": 68,
"preview": "std.manifestYamlDoc((import '../mixin.libsonnet').prometheusAlerts)\n"
},
{
"path": "contrib/prometheus-mixin/lib/dashboards.jsonnet",
"chars": 143,
"preview": "local dashboards = (import '../mixin.libsonnet').grafanaDashboards;\n\n{\n [name]: dashboards[name]\n for name in std.obje"
},
{
"path": "contrib/prometheus-mixin/lib/rules.jsonnet",
"chars": 67,
"preview": "std.manifestYamlDoc((import '../mixin.libsonnet').prometheusRules)\n"
},
{
"path": "contrib/prometheus-mixin/mixin.libsonnet",
"chars": 446,
"preview": "// Prometheus Mixin\n// Follows the kubernetes-mixin project pattern here: https://github.com/kubernetes-monitoring/kuber"
},
{
"path": "contrib/prometheus-mixin/rules/rules.libsonnet",
"chars": 150,
"preview": "// Sealed Secrets Prometheus Recording Rules\n{\n prometheusRules+:: {\n groups+: [\n // import ('sealed-secrets-ru"
},
{
"path": "contrib/prometheus-mixin/tests.yaml",
"chars": 886,
"preview": "---\nrule_files:\n- /tmp/manifests/prometheus_alerts.yaml\n- /tmp/manifests/prometheus_rules.yaml\n\nevaluation_interval: 1m\n"
},
{
"path": "controller-norbac.jsonnet",
"chars": 2765,
"preview": "// Minimal required deployment for a functional controller.\n\nlocal kubecfg = import 'kubecfg.libsonnet';\n\nlocal namespac"
},
{
"path": "controller-podmonitor.jsonnet",
"chars": 926,
"preview": "// Prometheus Pod Monitor manifest\n// ref: https://github.com/prometheus-operator/prometheus-operator#customresourcedefi"
},
{
"path": "controller.jsonnet",
"chars": 3195,
"preview": "// This is the recommended cluster deployment of sealed-secrets.\n// See controller-norbac.jsonnet for the bare minimum f"
},
{
"path": "docker/controller.Dockerfile",
"chars": 311,
"preview": "FROM gcr.io/distroless/static@sha256:47b2d72ff90843eb8a768b5c2f89b40741843b639d065b9b937b07cd59b479c6\nLABEL maintainer \""
},
{
"path": "docker/kubeseal.Dockerfile",
"chars": 287,
"preview": "FROM gcr.io/distroless/static@sha256:47b2d72ff90843eb8a768b5c2f89b40741843b639d065b9b937b07cd59b479c6\nLABEL maintainer \""
},
{
"path": "docs/GKE.md",
"chars": 5450,
"preview": "<!-- START doctoc generated TOC please keep comment here to allow auto update -->\n<!-- DON'T EDIT THIS SECTION, INSTEAD "
},
{
"path": "docs/bring-your-own-certificates.md",
"chars": 3260,
"preview": "# Bring your own certificates\n\nThe controller generates its own certificates when is deployed for the first time, it als"
},
{
"path": "docs/developer/README.md",
"chars": 2799,
"preview": "# Developer Guide\n\n**Table of Contents**\n\n<!-- START doctoc generated TOC please keep comment here to allow auto update "
},
{
"path": "docs/developer/controller.md",
"chars": 4367,
"preview": "# Controller Developer Guide\n\nThe controller is in charge of keeping the current state of `SealedSecret` objects in sync"
},
{
"path": "docs/developer/crypto.md",
"chars": 9878,
"preview": "# Cryptographic documentation\n\n## Protocols and cryptographic tools used\n\nSealed-secrets uses the following protocols fo"
},
{
"path": "docs/developer/kubeseal.md",
"chars": 589,
"preview": "# Kubeseal Developer Guide\n\nKubeseal component is a CLI tool that uses asymmetric crypto to encrypt secrets that only th"
},
{
"path": "docs/developer/swagger.yml",
"chars": 3316,
"preview": "openapi: 3.0.3\ninfo:\n title: Sealed Secrets Controller\n description: Sealed Secrets are \"one-way\" encrypted K8s Secret"
},
{
"path": "docs/examples/config-template/README.md",
"chars": 1558,
"preview": "# Injecting secrets into config file templates\n\nKubernetes Secrets are very flexible and can be consumed in many ways.\nS"
},
{
"path": "docs/examples/config-template/deployment.yaml",
"chars": 821,
"preview": "---\napiVersion: apps/v1\nkind: Deployment\nmetadata:\n name: example\nspec:\n selector:\n matchLabels:\n app: example"
},
{
"path": "docs/examples/config-template/sealedsecret.yaml",
"chars": 1646,
"preview": "--- \napiVersion: bitnami.com/v1alpha1\nkind: SealedSecret\nmetadata:\n name: example\nspec:\n encryptedData:\n server1: \""
},
{
"path": "githooks/pre-commit/doc-toc",
"chars": 462,
"preview": "#!/bin/bash\n\ncurrent_branch=\"$(git rev-parse --abbrev-ref HEAD)\"\norigin_commit=\"$(git rev-parse --short \"$(git merge-bas"
},
{
"path": "go.mod",
"chars": 3462,
"preview": "module github.com/bitnami-labs/sealed-secrets\n\ngo 1.26.1\n\nrequire (\n\tgithub.com/Masterminds/sprig/v3 v3.3.0\n\tgithub.com/"
},
{
"path": "go.sum",
"chars": 17920,
"preview": "dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=\ndario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobSt"
},
{
"path": "hack/boilerplate.go.txt",
"chars": 0,
"preview": ""
},
{
"path": "hack/tools.go",
"chars": 268,
"preview": "// This file forces go mod to include dependencies used during build, such as\n// code generation tools.\n// The build tag"
},
{
"path": "hack/update-codegen.sh",
"chars": 687,
"preview": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nSCRIPT_ROOT=$(dirname \"${BASH_SOURCE[0]}\")/..\nCODEGE"
},
{
"path": "helm/sealed-secrets/.helmignore",
"chars": 333,
"preview": "# Patterns to ignore when building packages.\n# This supports shell glob matching, relative path matching, and\n# negation"
},
{
"path": "helm/sealed-secrets/Chart.yaml",
"chars": 547,
"preview": "annotations:\n category: DeveloperTools\napiVersion: v2\nappVersion: 0.36.1\ndescription: Helm chart for the sealed-secrets"
},
{
"path": "helm/sealed-secrets/README.md",
"chars": 34520,
"preview": "# Sealed Secrets\n\nSealed Secrets are \"one-way\" encrypted K8s Secrets that can be created by anyone, but can only be decr"
},
{
"path": "helm/sealed-secrets/crds/bitnami.com_sealedsecrets.yaml",
"chars": 6659,
"preview": "apiVersion: apiextensions.k8s.io/v1\nkind: CustomResourceDefinition\nmetadata:\n annotations:\n controller-gen.kubebuild"
},
{
"path": "helm/sealed-secrets/dashboards/sealed-secrets-controller.json",
"chars": 8879,
"preview": "{\n \"annotations\": {\n \"list\": [\n {\n \"builtIn\": 1,\n \"datasource\": \"-- G"
},
{
"path": "helm/sealed-secrets/templates/NOTES.txt",
"chars": 1926,
"preview": "{{ if .Values.createController -}}\n\n** Please be patient while the chart is being deployed **\n\nYou should now be able to"
},
{
"path": "helm/sealed-secrets/templates/_helpers.tpl",
"chars": 6392,
"preview": "{{/*\nExpand the name of the chart.\n*/}}\n{{- define \"sealed-secrets.name\" -}}\n{{- default .Chart.Name .Values.nameOverrid"
},
{
"path": "helm/sealed-secrets/templates/cluster-role-binding.yaml",
"chars": 1033,
"preview": "{{ if and .Values.rbac.create (not .Values.rbac.namespacedRoles)}}\napiVersion: rbac.authorization.k8s.io/v1\nkind: Cluste"
},
{
"path": "helm/sealed-secrets/templates/cluster-role.yaml",
"chars": 1520,
"preview": "{{ if and (and .Values.rbac.create .Values.rbac.clusterRole) (not .Values.rbac.namespacedRoles) }}\napiVersion: rbac.auth"
},
{
"path": "helm/sealed-secrets/templates/configmap-dashboards.yaml",
"chars": 1260,
"preview": "{{- if .Values.metrics.dashboards.create }}\n{{- $namespace := .Values.metrics.dashboards.namespace | default $.Release.N"
},
{
"path": "helm/sealed-secrets/templates/deployment.yaml",
"chars": 9892,
"preview": "{{- if .Values.createController }}\napiVersion: {{ include \"sealed-secrets.deployment.apiVersion\" . }}\nkind: Deployment\nm"
},
{
"path": "helm/sealed-secrets/templates/extra-list.yaml",
"chars": 115,
"preview": "{{- range .Values.extraDeploy }}\n---\n{{ include \"sealed-secrets.render\" (dict \"value\" . \"context\" $) }}\n{{- end }}\n"
},
{
"path": "helm/sealed-secrets/templates/ingress.yaml",
"chars": 2817,
"preview": "{{- if and .Values.createController .Values.ingress.enabled }}\napiVersion: {{ include \"sealed-secrets.ingress.apiVersion"
},
{
"path": "helm/sealed-secrets/templates/networkpolicy.yaml",
"chars": 1741,
"preview": "{{- if .Values.networkPolicy.enabled }}\napiVersion: {{ include \"sealed-secrets.networkPolicy.apiVersion\" . }}\nkind: Netw"
},
{
"path": "helm/sealed-secrets/templates/pdb.yaml",
"chars": 945,
"preview": "{{- if .Values.pdb.create }}\nkind: PodDisruptionBudget\napiVersion: policy/v1\nmetadata:\n name: {{ include \"sealed-secret"
},
{
"path": "helm/sealed-secrets/templates/psp-clusterrole.yaml",
"chars": 898,
"preview": "{{- if .Values.rbac.pspEnabled }}\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: {{ printf"
},
{
"path": "helm/sealed-secrets/templates/psp-clusterrolebinding.yaml",
"chars": 1027,
"preview": "{{- if .Values.rbac.pspEnabled }}\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n name: {{"
},
{
"path": "helm/sealed-secrets/templates/psp.yaml",
"chars": 1012,
"preview": "{{- if .Values.rbac.pspEnabled }}\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\n name: {{ include \"seale"
},
{
"path": "helm/sealed-secrets/templates/role-binding.yaml",
"chars": 3270,
"preview": "{{ if .Values.rbac.create }}\napiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: {{ printf \"%s-"
},
{
"path": "helm/sealed-secrets/templates/role.yaml",
"chars": 3378,
"preview": "{{ if .Values.rbac.create }}\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: {{ printf \"%s-key-adm"
},
{
"path": "helm/sealed-secrets/templates/service-account.yaml",
"chars": 946,
"preview": "{{ if .Values.serviceAccount.create }}\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: {{ include \"sealed-secrets."
},
{
"path": "helm/sealed-secrets/templates/service.yaml",
"chars": 3292,
"preview": "{{- if .Values.createController -}}\napiVersion: v1\nkind: Service\nmetadata:\n name: {{ include \"sealed-secrets.fullname\" "
},
{
"path": "helm/sealed-secrets/templates/servicemonitor.yaml",
"chars": 2191,
"preview": "{{- if .Values.metrics.serviceMonitor.enabled }}\napiVersion: monitoring.coreos.com/v1\nkind: ServiceMonitor\nmetadata:\n n"
},
{
"path": "helm/sealed-secrets/templates/tls-secret.yaml",
"chars": 1710,
"preview": "{{- if and .Values.createController .Values.ingress.enabled }}\n{{- if .Values.ingress.secrets }}\n{{- range .Values.ingre"
},
{
"path": "helm/sealed-secrets/values.yaml",
"chars": 21755,
"preview": "## @section Common parameters\n\n## @param kubeVersion Override Kubernetes version\n##\nkubeVersion: \"\"\n## @param nameOverri"
},
{
"path": "integration/controller_test.go",
"chars": 33333,
"preview": "//go:build integration\n// +build integration\n\npackage integration\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/"
},
{
"path": "integration/integration_suite_test.go",
"chars": 4664,
"preview": "//go:build integration\n// +build integration\n\npackage integration\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"flag\"\n\t\"fmt\"\n"
},
{
"path": "integration/kubeseal_test.go",
"chars": 10417,
"preview": "//go:build integration\n// +build integration\n\npackage integration\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rsa\"\n\t\"crypto/x"
},
{
"path": "jsonnetfile.json",
"chars": 317,
"preview": "{\n \"dependencies\": [\n {\n \"name\": \"kube-libsonnet\",\n \"source\": {\n \"git\": {"
},
{
"path": "jsonnetfile.lock.json",
"chars": 351,
"preview": "{\n \"dependencies\": [\n {\n \"name\": \"kube-libsonnet\",\n \"source\": {\n \"git\": {"
},
{
"path": "kube-fixes.libsonnet",
"chars": 634,
"preview": "{\n CustomResourceDefinition(group, version, kind): {\n local this = self,\n apiVersion: 'apiextensions.k8s.io/v1',\n"
},
{
"path": "pkg/apis/sealedsecrets/v1alpha1/doc.go",
"chars": 210,
"preview": "// +k8s:deepcopy-gen=package,register\n\n// +groupName=bitnami.com\n\n// Package v1alpha1 contains the definition of the sea"
},
{
"path": "pkg/apis/sealedsecrets/v1alpha1/register.go",
"chars": 1223,
"preview": "package v1alpha1\n\nimport (\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n\t\"k8s.io/apimachinery/pkg/runtime\"\n\t\"k8s.io/ap"
},
{
"path": "pkg/apis/sealedsecrets/v1alpha1/sealedsecret_expansion.go",
"chars": 10968,
"preview": "package v1alpha1\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"fmt\"\n\t\"text/template\"\n\n\t"
},
{
"path": "pkg/apis/sealedsecrets/v1alpha1/sealedsecret_test.go",
"chars": 16269,
"preview": "package v1alpha1\n\nimport (\n\t\"bytes\"\n\t\"crypto/rsa\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"io\"\n\tmathrand \"math/rand\"\n\t\"refl"
},
{
"path": "pkg/apis/sealedsecrets/v1alpha1/types.go",
"chars": 6939,
"preview": "package v1alpha1\n\nimport (\n\t\"encoding/json\"\n\n\tapiv1 \"k8s.io/api/core/v1\"\n\tmetav1 \"k8s.io/apimachinery/pkg/apis/meta/v1\"\n"
},
{
"path": "pkg/apis/sealedsecrets/v1alpha1/zz_generated.deepcopy.go",
"chars": 6134,
"preview": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Code generated by deepcopy-gen. DO NOT EDIT.\n\npacka"
},
{
"path": "pkg/buildinfo/version.go",
"chars": 409,
"preview": "package buildinfo\n\nimport \"runtime/debug\"\n\n// DefaultVersion is the default version string if it's unset.\nconst DefaultV"
},
{
"path": "pkg/client/clientset/versioned/clientset.go",
"chars": 3296,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage versioned\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\n\tbitnamiv1alpha1 \"github."
},
{
"path": "pkg/client/clientset/versioned/fake/clientset_generated.go",
"chars": 2319,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tclientset \"github.com/bitnami-labs/sealed-secrets"
},
{
"path": "pkg/client/clientset/versioned/fake/doc.go",
"chars": 124,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated fake clientset.\npackage f"
},
{
"path": "pkg/client/clientset/versioned/fake/register.go",
"chars": 1302,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tbitnamiv1alpha1 \"github.com/bitnami-labs/sealed-s"
},
{
"path": "pkg/client/clientset/versioned/scheme/doc.go",
"chars": 140,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\n// This package contains the scheme of the automatically generated client"
},
{
"path": "pkg/client/clientset/versioned/scheme/register.go",
"chars": 1358,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage scheme\n\nimport (\n\tbitnamiv1alpha1 \"github.com/bitnami-labs/sealed"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/doc.go",
"chars": 127,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\n// This package has the automatically generated typed clients.\npackage v1"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/fake/doc.go",
"chars": 117,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\n// Package fake has the automatically generated clients.\npackage fake\n"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/fake/fake_sealedsecret.go",
"chars": 4939,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\t\"context\"\n\n\tv1alpha1 \"github.com/bitnami-labs/sea"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/fake/fake_sealedsecrets_client.go",
"chars": 654,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage fake\n\nimport (\n\tv1alpha1 \"github.com/bitnami-labs/sealed-secrets/"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/generated_expansion.go",
"chars": 104,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\ntype SealedSecretExpansion interface{}\n"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/sealedsecret.go",
"chars": 6535,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\t\"time\"\n\n\tv1alpha1 \"github.com/bitn"
},
{
"path": "pkg/client/clientset/versioned/typed/sealedsecrets/v1alpha1/sealedsecrets_client.go",
"chars": 2655,
"preview": "// Code generated by client-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"net/http\"\n\n\tv1alpha1 \"github.com/bitnami-lab"
},
{
"path": "pkg/client/informers/externalversions/factory.go",
"chars": 8629,
"preview": "// Code generated by informer-gen. DO NOT EDIT.\n\npackage externalversions\n\nimport (\n\treflect \"reflect\"\n\tsync \"sync\"\n\ttim"
},
{
"path": "pkg/client/informers/externalversions/generic.go",
"chars": 1459,
"preview": "// Code generated by informer-gen. DO NOT EDIT.\n\npackage externalversions\n\nimport (\n\t\"fmt\"\n\n\tv1alpha1 \"github.com/bitnam"
},
{
"path": "pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go",
"chars": 871,
"preview": "// Code generated by informer-gen. DO NOT EDIT.\n\npackage internalinterfaces\n\nimport (\n\ttime \"time\"\n\n\tversioned \"github.c"
},
{
"path": "pkg/client/informers/externalversions/sealedsecrets/interface.go",
"chars": 1101,
"preview": "// Code generated by informer-gen. DO NOT EDIT.\n\npackage sealedsecrets\n\nimport (\n\tinternalinterfaces \"github.com/bitnami"
},
{
"path": "pkg/client/informers/externalversions/sealedsecrets/v1alpha1/interface.go",
"chars": 1038,
"preview": "// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\tinternalinterfaces \"github.com/bitnami-labs"
},
{
"path": "pkg/client/informers/externalversions/sealedsecrets/v1alpha1/sealedsecret.go",
"chars": 3248,
"preview": "// Code generated by informer-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\t\"context\"\n\ttime \"time\"\n\n\tsealedsecretsv1alp"
},
{
"path": "pkg/client/listers/sealedsecrets/v1alpha1/expansion_generated.go",
"chars": 365,
"preview": "// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1alpha1\n\n// SealedSecretListerExpansion allows custom methods to"
},
{
"path": "pkg/client/listers/sealedsecrets/v1alpha1/sealedsecret.go",
"chars": 3118,
"preview": "// Code generated by lister-gen. DO NOT EDIT.\n\npackage v1alpha1\n\nimport (\n\tv1alpha1 \"github.com/bitnami-labs/sealed-secr"
},
{
"path": "pkg/controller/controller.go",
"chars": 20092,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rsa\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"reflect\"\n\t\"strings"
},
{
"path": "pkg/controller/controller_test.go",
"chars": 11578,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"errors\"\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\t\"encoding/jso"
},
{
"path": "pkg/controller/funcs.go",
"chars": 1435,
"preview": "package controller\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"time\"\n)\n\n// ScheduleJobWithTrigger creates a long-running loop that run"
},
{
"path": "pkg/controller/keyregistry.go",
"chars": 2868,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"sync\"\n\t\"time\"\n"
},
{
"path": "pkg/controller/keyregistry_test.go",
"chars": 1022,
"preview": "package controller\n\nimport (\n\t\"testing\"\n\t\"time\"\n)\n\nfunc TestRegisterNewKey(t *testing.T) {\n\tconst keySize = 2048\n\tvalidF"
},
{
"path": "pkg/controller/keys.go",
"chars": 3243,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"errors\"\n\t\"strings\"\n\t\"time\"\n\n\t\"git"
},
{
"path": "pkg/controller/keys_test.go",
"chars": 4117,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"io\"\n\tmathrand \"math/rand\"\n\t\"refle"
},
{
"path": "pkg/controller/main.go",
"chars": 9587,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/x509\"\n\t\"io\"\n\t\"log/slog\"\n\t\"os\"\n\t\"os/signal\"\n\t\"sort\"\n\t\"str"
},
{
"path": "pkg/controller/main_test.go",
"chars": 10800,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"testing\"\n\t\"time\"\n\n\tv1 \"k8s"
},
{
"path": "pkg/controller/metrics.go",
"chars": 4171,
"preview": "package controller\n\nimport (\n\t\"net/http\"\n\n\t\"github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1\"\n\t\"gi"
},
{
"path": "pkg/controller/metrics_test.go",
"chars": 5928,
"preview": "package controller\n\nimport (\n\t\"testing\"\n\n\tssv1alpha1 \"github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1al"
},
{
"path": "pkg/controller/server.go",
"chars": 4712,
"preview": "package controller\n\nimport (\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"io\"\n\t\"log\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/p"
},
{
"path": "pkg/controller/server_test.go",
"chars": 1891,
"preview": "package controller\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n\n\t"
},
{
"path": "pkg/controller/signal_notwin.go",
"chars": 294,
"preview": "//go:build !windows\n// +build !windows\n\npackage controller\n\nimport (\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n)\n\nfunc initKeyGenSig"
},
{
"path": "pkg/controller/signal_windows.go",
"chars": 69,
"preview": "package controller\n\nfunc initKeyGenSignalListener(trigger func()) {}\n"
},
{
"path": "pkg/crypto/crypto.go",
"chars": 3276,
"preview": "package crypto\n\nimport (\n\t\"crypto/aes\"\n\t\"crypto/cipher\"\n\t\"crypto/rsa\"\n\t\"crypto/sha256\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fm"
},
{
"path": "pkg/crypto/keys.go",
"chars": 1866,
"preview": "package crypto\n\nimport (\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"crypto/x509/pkix\"\n\t\"io\"\n\t\"math/big\"\n\t\"time\"\n)\n\n//"
},
{
"path": "pkg/crypto/keys_test.go",
"chars": 616,
"preview": "package crypto\n\nimport (\n\t\"crypto/rsa\"\n\t\"io\"\n\tmathrand \"math/rand\"\n\t\"reflect\"\n\t\"testing\"\n\t\"time\"\n)\n\n// This is omg-not s"
},
{
"path": "pkg/flagenv/flagenv.go",
"chars": 1522,
"preview": "// Package flagenv implements a simple way to expose all your flags as environmental variables.\n//\n// Commandline flags "
},
{
"path": "pkg/flagenv/flagenv_test.go",
"chars": 730,
"preview": "package flagenv_test\n\nimport (\n\t\"flag\"\n\t\"fmt\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/bitnami-labs/sealed-secrets/pkg/flagenv\"\n)\n"
},
{
"path": "pkg/kubeseal/kubeseal.go",
"chars": 17646,
"preview": "package kubeseal\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"encoding/base64\"\n\t\"encoding/json\"\n\t\"errors"
},
{
"path": "pkg/kubeseal/kubeseal_test.go",
"chars": 31556,
"preview": "package kubeseal\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/rand\"\n\t\"crypto/rsa\"\n\t\"crypto/x509\"\n\t\"encoding/pem\"\n\t\"fmt\"\n\t\"io\"\n"
},
{
"path": "pkg/log/log.go",
"chars": 1401,
"preview": "package log\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"log/slog\"\n)\n\n// MultiStreamHandler slog handler for directing different\ntype Mu"
},
{
"path": "pkg/multidocyaml/multidocyaml.go",
"chars": 506,
"preview": "package multidocyaml\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\n\t\"gopkg.in/yaml.v2\"\n)\n\nfunc isMultiDocumentYAML(src []byte) bool {\n\tdec "
},
{
"path": "pkg/multidocyaml/multidocyaml_test.go",
"chars": 466,
"preview": "package multidocyaml\n\nimport \"testing\"\n\nfunc TestIsMultiDocumentYAML(t *testing.T) {\n\ttestCases := []struct {\n\t\tsrc stri"
},
{
"path": "pkg/pflagenv/flagenv.go",
"chars": 1558,
"preview": "// Package pflagenv implements a simple way to expose all your pflag flags as environmental variables.\n//\n// Commandline"
},
{
"path": "pkg/pflagenv/flagenv_test.go",
"chars": 757,
"preview": "package pflagenv_test\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/bitnami-labs/sealed-secrets/pkg/pflagenv\"\n\tflag \"g"
},
{
"path": "schema-v1alpha1.yaml",
"chars": 5008,
"preview": "openAPIV3Schema:\n description: |-\n SealedSecret is the K8s representation of a \"sealed Secret\" - a\n regular k8s S"
},
{
"path": "scripts/check-k8s",
"chars": 509,
"preview": "#!/bin/bash\n\nset -euo pipefail\n\nexport K8S_CONTEXT=\"${K8S_CONTEXT}\"\n\nif kubectl config current-context > /dev/null ;then"
},
{
"path": "scripts/kubeseal-sudo",
"chars": 3478,
"preview": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Constants\nRESET='\\033[0m'\nGREEN='\\033[38;5;2m'\nRED"
},
{
"path": "scripts/release-check",
"chars": 388,
"preview": "#!/usr/bin/env bash\n\nset -o nounset\n\nfunction docker_tag_exists() {\n\tdocker pull $1:$2 > /dev/null\n}\n\nfunction find_rele"
},
{
"path": "site/.gitignore",
"chars": 145,
"preview": ".vagrant\n.DS_Store\n.sass-cache\n_ignore\nnode_modules\n_site\n.jekyll\n.jekyll-metadata\n.bundle\n.vscode\n\n*.log\n*.js.map\n*.css"
},
{
"path": "site/README.md",
"chars": 869,
"preview": "# Website for [Sealed Secrets](https://sealed-secrets.netlify.app/)\n\n## Deployment\n\nThe website will be deployed to prod"
},
{
"path": "site/archetypes/default.md",
"chars": 84,
"preview": "---\ntitle: \"{{ replace .Name \"-\" \" \" | title }}\"\ndate: {{ .Date }}\ndraft: true\n---\n\n"
},
{
"path": "site/config.yaml",
"chars": 1333,
"preview": "baseURL: \"https://sealed-secrets.netlify.app\"\nlanguageCode: \"en-us\"\ntitle: \"Sealed Secrets\"\ntheme: \"template\"\noutputs:\n "
},
{
"path": "site/content/community/_index.html",
"chars": 3079,
"preview": "---\ntitle: \"Community\"\nlayout: section\n---\n\n<div class=\"hero subpage-hero\">\n <div class=\"wrapper\">\n <h1>Commun"
},
{
"path": "site/content/contributors/agarcia-oss.md",
"chars": 116,
"preview": "---\nfirst_name: Alfredo\nlast_name: García\nimage: /img/team/agarcia-oss.png\ngithub_handle: agarcia-oss\n---\nMaintainer"
},
{
"path": "site/content/contributors/alvneiayu.md",
"chars": 110,
"preview": "---\nfirst_name: Alvaro\nlast_name: Neira\nimage: /img/team/alvneiayu.png\ngithub_handle: alvneiayu\n---\nMaintainer"
},
{
"path": "site/content/contributors/index.md",
"chars": 22,
"preview": "---\nheadless: true\n---"
},
{
"path": "site/content/docs/CONTRIBUTING.md",
"chars": 2047,
"preview": "# Contributing\n\nLeo urna molestie at elementum eu facilisis sed odio. Non nisi est sit amet facilisis.\n\n## Magna etiam t"
},
{
"path": "site/content/docs/_index.md",
"chars": 142,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n# Sealed Secrets documentation\n\nExplore the [latest version docs](./lat"
},
{
"path": "site/content/docs/img/_index.md",
"chars": 576,
"preview": "# Update Images\n\n## Imperdiet sed euismod nisi porta\n\n- [Image](placeholder-750x250.png) gestas pretium aenean `plantuml"
},
{
"path": "site/content/docs/latest/README.md",
"chars": 1463,
"preview": "\n# Sealed Secrets documentation\n\nEverything you need to know about Sealed Secrets.\n\n> NOTE: we are currently moving our "
},
{
"path": "site/content/docs/latest/_index.md",
"chars": 105,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n{{% readfile file=\"/content/docs/latest/README.md\" %}}\n"
},
{
"path": "site/content/docs/latest/background/README.md",
"chars": 1131,
"preview": "# Sealed Secrets Background\n\nBig-picture explanations of higher-level Sealed Secrets concepts. Most useful for building "
},
{
"path": "site/content/docs/latest/background/_index.md",
"chars": 116,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n{{% readfile file=\"/content/docs/latest/background/README.md\" %}}\n"
},
{
"path": "site/content/docs/latest/background/cryptography.md",
"chars": 11351,
"preview": "# Cryptography details of Sealed Secrets\n\n<!-- START doctoc generated TOC please keep comment here to allow auto update "
},
{
"path": "site/content/docs/latest/howto/README.md",
"chars": 1472,
"preview": "# How-to guides\n\nHow-to guides can be thought of as directions that guide the reader through the steps to achieve a spec"
},
{
"path": "site/content/docs/latest/howto/_index.md",
"chars": 111,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n{{% readfile file=\"/content/docs/latest/howto/README.md\" %}}\n"
},
{
"path": "site/content/docs/latest/howto/validate-sealed-secrets.md",
"chars": 1052,
"preview": "# How-to Validate existing Sealed Secrets\n\nThe `validate` Sealed Secrets feature is useful for ensuring the correctness "
},
{
"path": "site/content/docs/latest/project/.placeholder",
"chars": 468,
"preview": "This directory is expected to contain symlinks to certain files of the root project directory. This way, these files wil"
},
{
"path": "site/content/docs/latest/project/_index.md",
"chars": 113,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n{{% readfile file=\"/content/docs/latest/project/readme.md\" %}}\n"
},
{
"path": "site/content/docs/latest/reference/README.md",
"chars": 1179,
"preview": "# Sealed Secrets Reference\n\nThis section contains technical reference and developer guides for Sealed Secrets.\n\n| Refere"
},
{
"path": "site/content/docs/latest/reference/_index.md",
"chars": 115,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n{{% readfile file=\"/content/docs/latest/reference/README.md\" %}}\n"
},
{
"path": "site/content/docs/latest/reference/faq.md",
"chars": 6869,
"preview": "# Frequently Asked Questions\n\n<!-- START doctoc generated TOC please keep comment here to allow auto update -->\n<!-- DON"
},
{
"path": "site/content/docs/latest/tutorials/README.md",
"chars": 1651,
"preview": "# Sealed Secrets tutorials\n\nThis section of our documentation contains step-by-step tutorials to help outline what Seale"
},
{
"path": "site/content/docs/latest/tutorials/_index.md",
"chars": 115,
"preview": "---\nversion: latest\ncascade:\n layout: docs\n---\n\n{{% readfile file=\"/content/docs/latest/tutorials/README.md\" %}}\n"
},
{
"path": "site/content/docs/latest/tutorials/getting-started.md",
"chars": 6211,
"preview": "# Get Started with Sealed Secrets\n\n## Table of Contents\n\n1. [Introduction](#introduction)\n1. [Pre-requisites](#pre-requi"
},
{
"path": "site/content/docs/latest/tutorials/install-sealed-secrets.md",
"chars": 5807,
"preview": "# Sealed Secrets controller installation\n\n<!-- START doctoc generated TOC please keep comment here to allow auto update "
},
{
"path": "site/content/posts/_index.md",
"chars": 120,
"preview": "---\ntitle: \"Blog\"\nid: blog\nurl: /blog\noutputs: [\"HTML\", \"RSS\"]\nlayout: listß\n_build:\n render: never\n list: never\n---\n\n"
},
{
"path": "site/content/resources/_index.html",
"chars": 2853,
"preview": "---\nlayout: page\ntitle: Resources\ndescription: Sealed Secrets Resources\nid: resources\n---\n\n<div class=\"hero subpage-hero"
},
{
"path": "site/data/docs/latest-toc.yml",
"chars": 772,
"preview": "---\ntoc:\n - title: About Sealed Secrets\n subfolderitems:\n - page: What is Sealed Secrets\n url: /project/"
},
{
"path": "site/data/docs/toc-mapping.yml",
"chars": 246,
"preview": "# This file can be used to explicitly map a release to a specific table-of-contents\n# (TOC). You'll want to use this aft"
},
{
"path": "site/resources/_gen/assets/scss/scss/site.scss_8967e03afb92eb0cac064520bf021ba2.content",
"chars": 29995,
"preview": "body{font-family:\"Metropolis-Light\",Helvetica,sans-serif;margin:0px;line-height:1.25}.wrapper{max-width:980px;margin:0px"
},
{
"path": "site/resources/_gen/assets/scss/scss/site.scss_8967e03afb92eb0cac064520bf021ba2.json",
"chars": 59,
"preview": "{\"Target\":\"css/style.css\",\"MediaType\":\"text/css\",\"Data\":{}}"
},
{
"path": "site/themes/template/archetypes/default.md",
"chars": 73,
"preview": "+++\ntitle = \"{{ replace .Name \"-\" \" \" | title }}\"\ndate = {{ .Date }}\n+++\n"
},
{
"path": "site/themes/template/assets/scss/_base.scss",
"chars": 7036,
"preview": "@import 'variables';\n@import 'mixins';\n\n$font-family-base: \"Metropolis-Light\", Helvetica, sans-serif;\n$metropolis-light:"
},
{
"path": "site/themes/template/assets/scss/_components.scss",
"chars": 17809,
"preview": "@import 'variables';\n@import 'mixins';\n\n/* Homepage Hero */\n.hero {\n background-color: $mainblue;\n color: $white;\n"
},
{
"path": "site/themes/template/assets/scss/_footer.scss",
"chars": 2383,
"preview": "@import 'variables';\n@import 'mixins';\n@import 'base';\n\nfooter {\n .top-links {\n min-height: 52px;\n disp"
},
{
"path": "site/themes/template/assets/scss/_header.scss",
"chars": 2363,
"preview": "@import 'variables';\n@import 'mixins';\n@import 'base';\n\nheader {\n .wrapper {\n padding: 10px 20px;\n min-"
},
{
"path": "site/themes/template/assets/scss/_mixins.scss",
"chars": 935,
"preview": "@mixin breakpoint($point) {\n\t$small: 767px; // Up to 767px\n $medium: 1279px; // Up to 1279px\n $large: 1439px; // U"
},
{
"path": "site/themes/template/assets/scss/_variables.scss",
"chars": 184,
"preview": "$white: #ffffff;\n$blue: #0095D3;\n$darkgrey: #333333;\n$grey: #777777;\n$lightgrey: #F2F2F2;\n$darkblue: #002538;\n$purple: #"
},
{
"path": "site/themes/template/assets/scss/site.scss",
"chars": 112,
"preview": "@import 'header';\n@import 'footer';\n@import 'base';\n@import 'variables';\n@import 'components';\n@import 'mixins';"
},
{
"path": "site/themes/template/layouts/_default/_markup/render-image.html",
"chars": 436,
"preview": "{{ $link := .Destination }}\n{{ if not (strings.HasPrefix $link \"http\") }}\n {{ if strings.HasSuffix .Page.Parent.RelPe"
}
]
// ... and 52 more files (download for full content)
About this extraction
This page contains the full source code of the bitnami-labs/sealed-secrets GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 252 files (934.0 KB), approximately 259.3k tokens, and a symbol index with 456 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.