What's Changed

• chore(deps): bump github.com/klauspost/compress from 1.15.0 to 1.15.1 by @dependabot in https://github.com/elastic/harp/pull/153
• chore(deps): bump github.com/open-policy-agent/opa from 0.38.0 to 0.38.1 by @dependabot in https://github.com/elastic/harp/pull/154
• chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in https://github.com/elastic/harp/pull/155
• chore(deps): bump go.step.sm/crypto from 0.15.3 to 0.16.0 by @dependabot in https://github.com/elastic/harp/pull/157
• chore(deps): bump github.com/magefile/mage from 1.12.1 to 1.13.0 by @dependabot in https://github.com/elastic/harp/pull/156
• chore(deps): bump github/codeql-action from 1 to 2 by @dependabot in https://github.com/elastic/harp/pull/177
• [chore] Repo Maintenance by @fin09pcap in https://github.com/elastic/harp/pull/191
• chore(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 by @dependabot in https://github.com/elastic/harp/pull/161
• chore(deps): bump docker/build-push-action from 2 to 3 by @dependabot in https://github.com/elastic/harp/pull/184
• chore(deps): bump docker/metadata-action from 3 to 4 by @dependabot in https://github.com/elastic/harp/pull/183
• chore(deps): bump go.etcd.io/etcd/client/v3 from 3.5.2 to 3.5.4 by @dependabot in https://github.com/elastic/harp/pull/176
• chore(deps): bump github.com/cloudflare/tableflip from 1.2.2 to 1.2.3 by @dependabot in https://github.com/elastic/harp/pull/166
• chore(deps): bump goreleaser/goreleaser-action from 2 to 3 by @dependabot in https://github.com/elastic/harp/pull/192
• chore(deps): bump docker/setup-buildx-action from 1 to 2 by @dependabot in https://github.com/elastic/harp/pull/195
• fix(config): loader was not working with subcommands. by @Zenithar in https://github.com/elastic/harp/pull/188
• chore(deps): bump oras.land/oras-go from 1.1.0 to 1.1.1 by @dependabot in https://github.com/elastic/harp/pull/171
• chore(deps): bump github.com/pelletier/go-toml from 1.9.4 to 1.9.5 by @dependabot in https://github.com/elastic/harp/pull/175
• fix: update validator to use human names for IBM regions by @fin09pcap in https://github.com/elastic/harp/pull/178
• chore(deps): bump sigstore/cosign-installer from 2.1.0 to 2.3.0 by @dependabot in https://github.com/elastic/harp/pull/179
• chore(deps): bump github.com/google/cel-go from 0.10.1 to 0.11.4 by @dependabot in https://github.com/elastic/harp/pull/185
• chore(deps): bump docker/login-action from 1 to 2 by @dependabot in https://github.com/elastic/harp/pull/199
• chore(deps): bump docker/setup-qemu-action from 1 to 2 by @dependabot in https://github.com/elastic/harp/pull/198
• chore(deps): bump actions/cache from 2.1.7 to 3.0.3 by @dependabot in https://github.com/elastic/harp/pull/193
• chore(deps): bump go.step.sm/crypto from 0.16.0 to 0.16.2 by @dependabot in https://github.com/elastic/harp/pull/187
• chore(deps): bump github.com/sethvargo/go-diceware from 0.2.1 to 0.3.0 by @dependabot in https://github.com/elastic/harp/pull/194
• Fix yaml serialization from pb by @Zenithar in https://github.com/elastic/harp/pull/221
• fix: add regions for google cloud provider by @fin09pcap in https://github.com/elastic/harp/pull/268
• fix: update cmdutil.Reader to use os.Openfile by @fin09pcap in https://github.com/elastic/harp/pull/277
• [RuleSet] add support for annotations and labels by @fin09pcap in https://github.com/elastic/harp/pull/271

Full Changelog: https://github.com/elastic/harp/compare/v0.2.10...v0.2.11

0.2.9

2022-03-13

BREAKING-CHANGES:

• FIPS artifacts are disabled by default on GitHub Actions CI but still can be
  built locally.
• harp-artifacts containing all harp binaries will not be produced anymore.

FEATURES:

• cli/lint:

  • Provide command to Lint YAML/JSON content for Bundle, BundleTemplate, RuleSet and BundlePatch. #138

• cli/render:

  • Generate a configuration file system from an archive. #149

• cli/template:

  • Support archive as file loader.

• sdk/api:

  • Bundle, BundleTemplate, RuleSet and BundlePatch JSON schema are published. #138
  • JSON Schema for all configuration files. #145

• sdk/crate:

  • A crate is an OCI Compatible image which can be pushed to OCI compliant
    registries.
  • crate push is used to prepare a crate with a sealed container and
    optionally an archive - OCI Push #138
  • This is used to publish the sealed container and the templates used to
    render the final configuration.
  • crate copy is used to retrieve a remote crate from a registry. #147

DIST:

• docker:
  • Multi-architecture docker images are produced.

What's Changed

• chore(deps): bump actions/cache from 1 to 2.1.7 by @dependabot in https://github.com/elastic/harp/pull/136
• chore(deps): bump github.com/hashicorp/vault/api from 1.3.1 to 1.4.1 by @dependabot in https://github.com/elastic/harp/pull/135
• Chore go maintenance by @Zenithar in https://github.com/elastic/harp/pull/137
• chore(deps): bump actions/checkout from 2 to 3 by @dependabot in https://github.com/elastic/harp/pull/139
• chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.38.0 by @dependabot in https://github.com/elastic/harp/pull/140
• chore(deps): bump sigstore/cosign-installer from 2.0.1 to 2.1.0 by @dependabot in https://github.com/elastic/harp/pull/143
• chore(deps): bump go.step.sm/crypto from 0.15.1 to 0.15.2 by @dependabot in https://github.com/elastic/harp/pull/142
• chore(deps): bump github.com/klauspost/compress from 1.14.4 to 1.15.0 by @dependabot in https://github.com/elastic/harp/pull/141
• feat(crate): introduce crate concept. by @Zenithar in https://github.com/elastic/harp/pull/138
• Feat config jsonschema by @Zenithar in https://github.com/elastic/harp/pull/145
• chore(deps): bump github.com/google/cel-go from 0.9.0 to 0.10.0 by @dependabot in https://github.com/elastic/harp/pull/144
• feat(lint): schema autodetection from content. by @Zenithar in https://github.com/elastic/harp/pull/146
• feat(create): copy command. by @Zenithar in https://github.com/elastic/harp/pull/147
• chore(deps): bump google.golang.org/grpc from 1.44.0 to 1.45.0 by @dependabot in https://github.com/elastic/harp/pull/148
• chore(deps): bump go.step.sm/crypto from 0.15.2 to 0.15.3 by @dependabot in https://github.com/elastic/harp/pull/152
• chore(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in https://github.com/elastic/harp/pull/150
• chore(deps): bump github.com/google/cel-go from 0.10.0 to 0.10.1 by @dependabot in https://github.com/elastic/harp/pull/151
• feat(archive): make in-memory fs walkable. by @Zenithar in https://github.com/elastic/harp/pull/149

Full Changelog: https://github.com/elastic/harp/compare/v0.2.8...v0.2.9

FEATURES:

• cli:
  • darwin-amd64 and darwin-arm64 are code signed and notarized using an Apple Developer ID certificate to allow harp execution on Silicon M1 based computers. #134
• cli/transform:
  • compress/decompress commands for various algorithms. #117
  • hash/multihash command for various hashing algorithms. #117
  • encode/decode command for various encoding strategies #117
• bundle/ruleset:
  • enable rego language for RuleSet constraint engine. #134
• sdk/api:
  • support user_data for Bundle, Package, SecretChain to store custom arbitrary data during pipeline execution. #134
• sdk/value:
  • encoding reader / writer factory. #117
  • compression reader/writer factory. #117
  • hash writer factory. #117

CHANGES:

• go:
  • FIPS artifact build process is disabled.
• git:
  • the tag cmd/harp/vX.XX will never be produced.
• ci:
  • dependabot setup to monitor and automate dependency updates.
  • the release pipeline has been completely redesigned to use goreleaser.
  • SLSA provenance is temporary disabled due to a lack of the multiplatform support for the used action.

DIST:

• build/ci:
  • SHA256 fingerprint is provided per artifact.
  • SBOM is embedded in the artifact archive.
• build/gha:
  • zntrio/harp-installer github action could be used to set up harp during your github action pipelines.

Full Changelog: https://github.com/elastic/harp/compare/v0.2.7...v0.2.8

FEATURES:

• bundle/from:
  • read a HCL bundle descriptor to generate the binary bundle. #114
• bundle/patch:
  • support --stop-at-rule-index=<int> and --stop-at-rule-id=<string> flags for bundle patch to stop patch evaluation before requested rule identifier or index. #112
  • --ignore-rule-id and --ignore-rule-index flags to ignore matching rules during bundle patch evaluation. #112
• bundle/selector:
  • support regoFile to load a Rego filter policy from a file. #111
  • cel query language #111
    • p.match_label(globstring, globstring) can be used to match label key and value
    • p.match_annotation(globstring, globstring) can be used to match annotation key and value

DIST:

• go: Build with Golang 1.17.7.
• go-boring: Build with Golang 1.17.7b7.

What's Changed

• feat(bundle): rego file selector. by @Zenithar in https://github.com/elastic/harp/pull/111
• feat(patch): rule evaluation stopper flags. by @Zenithar in https://github.com/elastic/harp/pull/112
• chore(go): update go to 1.17.7 by @Zenithar in https://github.com/elastic/harp/pull/113
• feat(bundle): HCL bundle descriptor. by @Zenithar in https://github.com/elastic/harp/pull/114
• chore(ci): update goboring to 1.17.7. by @Zenithar in https://github.com/elastic/harp/pull/115
• fix(test): disable golden tests due to map order stability. by @Zenithar in https://github.com/elastic/harp/pull/116

Full Changelog: https://github.com/elastic/harp/compare/v0.2.6...cmd/harp/v0.2.7

What's Changed

• Doc general onboarding by @Zenithar in https://github.com/elastic/harp/pull/101
• feat(transformer): support AGE encryption. by @Zenithar in https://github.com/elastic/harp/pull/102
• feat(value): deterministic authenticated encryption. by @Zenithar in https://github.com/elastic/harp/pull/103
• feat(value): additional data support for AEAD/DAE transformers. by @Zenithar in https://github.com/elastic/harp/pull/104
• feat(pipeline): allow reader/writer customization. by @Zenithar in https://github.com/elastic/harp/pull/105
• Feat bundle rego filter by @Zenithar in https://github.com/elastic/harp/pull/106
• doc(bundle): add sample rego based patch. by @Zenithar in https://github.com/elastic/harp/pull/107
• feat(patch): reverse bundle iteration logic. by @Zenithar in https://github.com/elastic/harp/pull/108
• Feat package cel matcher by @Zenithar in https://github.com/elastic/harp/pull/109
• Feat bundle matcher languages harmonization by @Zenithar in https://github.com/elastic/harp/pull/110

Full Changelog: https://github.com/elastic/harp/compare/v0.2.5...v0.2.6

2022-02-07

FEATURES:

• template/engine:
  • isodate time formatter to RFC3389 date format.
• bundle/pipeline:
  • Support custom input reader and output writer. #105
• bundle/selector:
  • support glob for package path and secret key matcher. #110
  • support rego policy for bunde filter command and BundlePatch selector. #106
  • support cel expressions used in BundleRuleSet for package matchers in bundle filter command and BundlePatch selector. #109
• sdk/value:
  • support age encryption as value transformer. #102
  • support deterministic authenticated encryption value transformers. #103
  • support additional data for AEAD/DAE transformers. #104
  • DAE transformers can be initialized using an optional salt to derive different keys from the transformer key. #104

DIST

• go: Build with Golang 1.17.6.
• build/ci
  • Add SLSA Level 1 - Provenance generation step for binaries.
  • Add Snyk as code / dependencies scanner via SARIF.
  • Add Trivy dependencies scanner via SARIF.

Full Changelog: https://github.com/elastic/harp/compare/v0.2.5...cmd/harp/v0.2.6

What's Changed

• feat(template): JWT parser/verifier. by @Zenithar in https://github.com/elastic/harp/pull/95
• chore(go): fix possible dependency spoofing. by @Zenithar in https://github.com/elastic/harp/pull/96
• Feat template crypto tls dane compute by @Zenithar in https://github.com/elastic/harp/pull/97
• Feat gha secret provisioner by @Zenithar in https://github.com/elastic/harp/pull/98
• fix(vault): custom metadata could be nil. by @Zenithar in https://github.com/elastic/harp/pull/99
• chore(repository): v0.2.5 maintenance by @Zenithar in https://github.com/elastic/harp/pull/100

Full Changelog: https://github.com/elastic/harp/compare/v0.2.4...v0.2.5

What's Changed

• chore(go): enable go1.18. by @Zenithar in https://github.com/elastic/harp/pull/92
• feat(go): migrate offline fuzz tests to native go. by @Zenithar in https://github.com/elastic/harp/pull/93
• Chore repository maintenance by @Zenithar in https://github.com/elastic/harp/pull/94

Full Changelog: https://github.com/elastic/harp/compare/v0.2.3...v0.2.4

Changes

• Use Go 1.17.5 (std + goboring)
• Github actions automation for release process

What's Changed

• feat(crypto): move pasetov4 to security sdk. by @Zenithar in https://github.com/elastic/harp/pull/87
• feat(paseto): benchmarks and API changes. by @Zenithar in https://github.com/elastic/harp/pull/88
• feat(seal): fips compliant container seal algorithm. by @Zenithar in https://github.com/elastic/harp/pull/89
• fix(sec): GHSA on opencontainer/runc used in tests. by @Zenithar in https://github.com/elastic/harp/pull/91
• feat(transformer): support JWS, PASETO signer and verifier. by @Zenithar in https://github.com/elastic/harp/pull/90

Full Changelog: https://github.com/elastic/harp/compare/v0.2.2...v0.2.3

What's Changed

• crypto: paseto v4 public implementation by @Zenithar in https://github.com/elastic/harp/pull/83
• Additional regions for Azure and IBM by @fin09pcap in https://github.com/elastic/harp/pull/84
• Test kv consul unit tests by @Zenithar in https://github.com/elastic/harp/pull/85

Full Changelog: https://github.com/elastic/harp/compare/v0.2.1...v0.2.2

2021-11-24

CHANGES:

• cso/v1: Support new Azure and IBM regions. #84

What's Changed

• chore(go): update to 1.17.3. by @Zenithar in https://github.com/elastic/harp/pull/76
• refactoring(test): autumn cleanup by @Zenithar in https://github.com/elastic/harp/pull/77
• test(pkg/kv): integration tests by @Zenithar in https://github.com/elastic/harp/pull/78
• chore(legal): update dependencies and regenerate notice. by @Zenithar in https://github.com/elastic/harp/pull/79
• Feat crypto migrate to ed25519 identities by @Zenithar in https://github.com/elastic/harp/pull/80
• feat(cmd): KV store publication commands. by @Zenithar in https://github.com/elastic/harp/pull/81
• feat(value): paseto transformer. by @Zenithar in https://github.com/elastic/harp/pull/82

Full Changelog: https://github.com/elastic/harp/compare/v0.2.0...v0.2.1

2021-11-17

BREAKING-CHANGES:

• cmd/ruleset: Ruleset generation from a Bundle has been relocated to to ruleset command. #77
• bundle/filter: parameter --jmespath as been renamed to --query. #77
• bundle/dump: parameter --jmespath as been renamed to --query. #77
• deprecation: package github.com/elastic/harp/pkg/bundle/vfs has been removed. The Golang 1.16 fs.FS implementation must be used and located at github.com/elastic/harp/pkg/bundle/fs. #77
• container/identity: identities are using ed25519 key pairs vs x25519 keys in previous versions. For conversion, you can still unseal a container using old x25519 key based identities, but you can't seal with them. To be future-proof, you have to regenerate new identities. #79
• sdk/transformer: Encryption transformers must be imported to be registered in the encryption transformer registry. #80

FEATURES:

• bundle/encryption: Partial bundle encryption based on annotations. #77
• task/bundle: Fully unit tested. #77
• core/kv: Support KV Store publication for Etcd3/Zookeeper/Consul. #77
• value/transformer: Transformer mock is available for testing. #77
• value/encryption: Expose encryption.Must(value.Transformer, error) to build a transformer instance with a panic raised on error. #77
• sdk/cmdutil: DiscardWriter() is a io.Writer provider used to discard all output. #77
• sdk/cmdutil: DirectWriter(io.Writer) is a io.Writer provider used to delegate to input writer. #77
• sdk/cmdutil: NewClosedWriter() is a io.Writer implementation who always return on Write() calls. #77
• pkg/kv: integration tests and behavior validation test suite. #78
• value/transformers: expose new JWE based encryption transformers #80
  • jwe:a128kw:<base64> to initialize a AES128 Key Wrapper with AES128 GCM Encryption transformer
  • jwe:a192kw:<base64> to initialize a AES192 Key Wrapper with AES192 GCM Encryption transformer
  • jwe:a256kw:<base64> to initialize a AES256 Key Wrapper with AES256 GCM Encryption transformer
  • jwe:pbes2-hs256-a128kw:<ascii> to initialize a PBES2 key derivation function for AES128 key wrapping with AES128 GCM Encryption transformer
  • jwe:pbes2-hs384-a192kw:<ascii> to initialize a PBES2 key derivation function for AES192 key wrapping with AES192 GCM Encryption transformer
  • jwe:pbes2-hs512-a256kw:<ascii> to initialize a PBES2 key derivation function for AES256 key wrapping with AES256 GCM Encryption transformer
• sdk/transformer: Encryption transformer dynamic factory. #80
  • Use pkg/value/encryption.Register(prefix, factory) to register a transformer factory matching the given prefix.
• bundle/prefixer: parameter --remove added to support prefix removal operation. #81
• to/object: support toml format as output. #81
• value/transformer: Support PASETO v4.local transformer. #82

CHANGES:

• container/identity: converge to value.Transformer usage for identity protection. #81
• container/recover: converge to value.Transformer usage for container key recovery from an identity. #81
• sdk/types: IsNil() now recognize nil function pointer. #77
• sdk/dep: #79
  • github.com/google/gops v0.3.22
  • github.com/gosimple/slug v1.11.2
  • github.com/hashicorp/consul/api v1.11.0
  • github.com/hashicorp/vault/api v1.3.0
  • github.com/zclconf/go-cty v1.10.0
  • go.step.sm/crypto v0.13.0
  • golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa
  • golang.org/x/sys v0.0.0-20211113001501-0c823b97ae02
  • google.golang.org/genproto v0.0.0-20211112145013-271947fe86fd
  • google.golang.org/grpc v1.42.0

DIST:

• go: Build with Golang 1.17.3.
• tools: Update golangci-lint to v1.43.0. #76
• docs: General review for typo / grammar.

What's Changed

• feat(vault): support custom metadata. by @Zenithar in https://github.com/elastic/harp/pull/68
• feat(vault): support read from legacy metadata format. by @Zenithar in https://github.com/elastic/harp/pull/69
• feat(template) add json escaping functions. by @Zenithar in https://github.com/elastic/harp/pull/70
• Chore brew fix formula generation by @Zenithar in https://github.com/elastic/harp/pull/71
• Chore deps repository maintenance by @Zenithar in https://github.com/elastic/harp/pull/72
• Feat crypto use smallstep library by @Zenithar in https://github.com/elastic/harp/pull/73
• feat(bundle): bundle package path prefixer. by @Zenithar in https://github.com/elastic/harp/pull/74
• feat(plugin): make kv plugin builtin. by @Zenithar in https://github.com/elastic/harp/pull/75

Full Changelog: https://github.com/elastic/harp/compare/v0.1.24...v0.2.0

0.2.0

2021-10-26

BREAKING-CHANGES:

• Metadata storage has been modified to support a JSON level complexity. All plugins must align their metadata management to the new format.
• Legacy metadata format is converted to new format on read.

DIST:

• go: Build with Golang 1.17.2.
• homebrew: Approriate harp version can be installed according to your platform architecture and OS #71

CHANGES:

• core/vault: Replace json encoded metadata in secret data by a JSON object. #68
• crypto/pem: Delegate PEM encoding/decoding to go.step.sm/crypto #73

FEATURES:

• to/vault: Support Vault >1.9 custom metadata for bundle metadata publication. #68
• from/vault: Support Vault >1.9 custom metadata for bundle metadata retrieval. #68
• from/vault: Support legacy bundle metadata format. #69
• template/engine: jsonEscape / jsonUnescape is added to handle string escaping using JSON character escaping strategy #70
• template/engine: unquote is added to unquote a quote escaped string. #70
• bundle/prefixer: Globally add a prefix to all secret package. #74
• plugin/kv: Promote harp-kv as builtin. #75