sealed-secrets

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for who is upgrading from previous releases.

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.5/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release, this icon will reflect that latest release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.5/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for who is upgrading from previous releases.

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.4/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release, this icon will reflect that latest release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.4/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for who is upgrading from previous releases.

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.3/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release, this icon will reflect that latest release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.3/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for who is upgrading from previous releases.

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.2/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release, this icon will reflect that latest release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.2/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for who is upgrading from previous releases.

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.1/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release, this icon will reflect that latest release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.1/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for who is upgrading from previous releases.

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.0/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release, this icon will reflect that latest release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.9.0/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

This is a release candidate, see RELEASE-NOTES.md for a preview.

Fixes #265

This is a release candidate, see RELEASE-NOTES.md for a preview.

This is a release candidate, see RELEASE-NOTES.md for a preview.

Announcement

This release contains a fix for a possible secret leak that can happen when sealing existing secrets that have been retrieved from a cluster (e.g. with kubectl get) where they have been created with kubectl apply (as opposed to kubectl create).
This potential problem has been introduced v0.8.0 when kubeseal learned how to preserve annotations and labels.

Please check your existing sealed secret sources for any annotation kubectl.kubernetes.io/last-applied-configuration, because that annotation would contain your original secrets in clear.

This release strips this annotation (and a similar annotation created by the kubcfg tool)

Changelog

Fixes in this release:

• Round-tripping secrets can leak cleartext in last-applied-configuration (#227)

The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/6?closed=1

Install

Client side

Install client-side tool into /usr/local/bin/:

• Linux x86_64:

wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.3/kubeseal-linux-amd64 -O kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

• Macos: (might lag a few hours behind a new release)

brew install kubeseal

• Other OS/arch: you might find binaries for your OS/arch combo attached to this release below.

Cluster side

Install SealedSecret CRD, server-side controller into kube-system namespace.

$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.3/controller.yaml

NOTE: If you can't (or don't want) to use the kube-system namespace, please consider this approach

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please read this

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Changelog

Fixes in this release:

• Endless loop in controller on invalid base64 encrypted data bug (#201)
• Fix RBAC for /v1/cert.pem public key in isolated namespaces, removes most use cases for offline sealing with --cert (#208,#166)
• Accept and seal stringData into secret (#221)
• Fix a couple of blockers for enabling (still experimental) key rotation (#185, #219, #218)

The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/5?closed=1

Install

# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.2/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.2/controller.yaml

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Changelog

Fixes in this release:

• Solve kubectl auth issues with clusters using client.authentication.k8s.io/v1beta1 config by upgrading to client-go v12.0.0 (#183)
• Fix controller crash when writing logs due to read-only root FS (#200)

The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/4?closed=1

Install

# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.1/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.1/controller.yaml

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Changelog

The main improvements in this release are:

• support for annotations and labels (#92)
• support for secrets rotation opt-in (#137)
• fix bug with OwnerReferences handling (#127)
• EKS support; client-go version bump to release-7.0 (#110)
• Instructions to run on GKE when user is not cluster-admin (#111)
• Windows binary of kubeseal (#85)
• Internal codebase modernization (e.g. switch to Go modules)

The full Changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1

Many thanks for all the folks who contributed to this release!

Install

# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0/controller.yaml

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

• Ensure mage pull policy is not Never (#194)

Intro

Sorry for the delay, we've been through a fun ride lately but we're back on track.
Thanks to all the people who have contributed and offered their help!

v0.8.0 is a long overdue release but I don't want to rush it.
I would like to ask the community to help us validate this release and I guess cutting a release candidate
will lower the barrier for the testers.

The main improvements in this release are:

• support for annotations and labels (#92)
• support for secrets rotation opt-in (#137)
• fix bug with OwnerReferences handling (#127)
• EKS support; client-go version bump to release-7.0 (#110)
• Instructions to run on GKE when user is not cluster-admin (#111)
• Internal codebase modernization (e.g. switch to Go modules)

The full changelog is maintained in https://github.com/bitnami-labs/sealed-secrets/milestone/3?closed=1

Install

# Install client-side tool into /usr/local/bin/
$ wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0-rc.1/kubeseal-$(go env GOOS)-$(go env GOARCH) -O kubeseal
$ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

# Install SealedSecret CRD, server-side controller into kube-system namespace (by default)
$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.8.0-rc.1/controller.yaml

NOTE: if you want to install it on a GKE cluster for which your user account doesn't have admin rights, please refer to the README.md for further instructions.

NOTE: since the helm chart is currently maintained elsewhere (see https://github.com/helm/charts/tree/master/stable/sealed-secrets) the update of the helm chart might not happen in sync with releases here.

Big change for this release is the switch to per-key encrypted values.
("Keys" as in "object key/value", not as in "encryption key". English is hard.)

• Previously we generated a single big encrypted blob for each Secret, now we encrypt each value in the Secret separately, with the keys in plain text.
• This allows:
  • Existing keys can now be renamed and deleted without re-encrypting the value(s).
  • New keys/values can be added to the SealedSecret without re-encrypting (or even having access to!) the existing values.
  • Note that (as before) the encrypted values are still tied to the namespace/name of the enclosing Secret/SealedSecret, so can't be moved to another Secret.
    (The cluster-wide annotation does allow this, with the corresponding caveats, as before)
• The kubeseal tool does not yet have an option to output just a single value, but you can safely mix+match the individual values from kubeseal output with an existing SealedSecret. Improving kubeseal support for this feature is still an open action item.
• Existing/older "all-in-one" SealedSecrets are declared deprecated, but will continue to be supported by the controller for the foreseeable future. New invocations of the kubeseal tool now produce per-key encrypted output - if you need to produce the older format, just use an older kubeseal. Please raise a github issue if you have a use-case that requires supporting "all-in-one" SealedSecrets going forward.
• Note the CRD schema used for server-side validation in k8s >=1.9 has been temporarily removed, because it was unable to support the new per-key structure correctly (see kubernetes/kubernetes#59485).
• Huge thanks to @sullerandras for the code and his persistence in getting this merged!

• Support "cluster wide" secrets, that are not restricted to the original namespace
  • Set sealedsecrets.bitnami.com/cluster-wide: "true" annotation
  • Warning: cluster-wide SealedSecrets can be decrypted by anyone who can create a SealedSecret in your cluster
• Move to client-go v5.0
• Move to bitnami-labs github org
• Fix bug in schema validation for k8s 1.9

Note: this version moves TPR/CRD definition into a separate file. To install, you need controller.yaml and either sealedsecret-tpr.yaml or sealedsecret-crd.yaml

• Add CRD definition and TPR->CRD migration documentation
• Add kubeseal --fetch-cert to dump server cert to stdout, for later offline use with kubeseal --cert
• Better sanitisation of input object to kubeseal

(v0.5.1 fixes a travis/github release issue with v0.5.0)

• controller: deployment security hardening: non-root uid and read-only rootfs
• kubeseal: Include oidc and gcp auth provider plugins
• kubeseal: Add support for YAML output

• Add controller-norbac.yaml to the release build. This is controller.yaml without RBAC rules and related service account - for environments where RBAC is not yet supported, like Azure.
• Fix missing controller RBAC ClusterRoleBinding in v0.3.0