Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kubeseal for openSUSE:Factory checked in at 2023-09-07 21:13:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kubeseal (Old) and /work/SRC/openSUSE:Factory/.kubeseal.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubeseal" Thu Sep 7 21:13:27 2023 rev:21 rq:1109441 version:0.23.1 Changes: -------- --- /work/SRC/openSUSE:Factory/kubeseal/kubeseal.changes 2023-07-18 22:07:35.226808788 +0200 +++ /work/SRC/openSUSE:Factory/.kubeseal.new.1766/kubeseal.changes 2023-09-07 21:14:48.945755366 +0200 @@ -1,0 +2,18 @@ +Thu Sep 07 07:24:51 UTC 2023 - [email protected] + +- Update to version 0.23.1: + * Release notes for v0.23.1 (#1291) + * Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#1287) + * feat: allow changing the default revisionHistoryLimit (#1286) + * Introduce KUBESEAL_VERSION for Linux installation (#1275) + * securityContext adjusted (#1261) + * Bump k8s.io/code-generator from 0.27.3 to 0.27.4 (#1278) + * Bump k8s.io/client-go from 0.27.3 to 0.27.4 (#1277) + * Bump github.com/onsi/gomega from 1.27.8 to 1.27.10 (#1279) + * Bump k8s.io/api from 0.27.3 to 0.27.4 (#1281) + * Release carvel package v2.11.0 (#1273) + * Create an Install Sealed Secrets tutorial for Sealed Secrets + public documentation (#1270) + * Release chart 2.11.0 (#1272) + +------------------------------------------------------------------- Old: ---- sealed-secrets-0.23.0.obscpio New: ---- sealed-secrets-0.23.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kubeseal.spec ++++++ --- /var/tmp/diff_new_pack.tUO87G/_old 2023-09-07 21:14:50.401807416 +0200 +++ /var/tmp/diff_new_pack.tUO87G/_new 2023-09-07 21:14:50.405807559 +0200 @@ -21,7 +21,7 @@ %define archive_name sealed-secrets Name: kubeseal -Version: 0.23.0 +Version: 0.23.1 Release: 0 Summary: CLI for encrypting secrets to SealedSecrets License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.tUO87G/_old 2023-09-07 21:14:50.433808561 +0200 +++ /var/tmp/diff_new_pack.tUO87G/_new 2023-09-07 21:14:50.437808703 +0200 @@ -1,14 +1,14 @@ <services> - <service name="obs_scm" mode="disabled"> + <service name="obs_scm" mode="manual"> <param name="url">https://github.com/bitnami-labs/sealed-secrets</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.23.0</param> + <param name="revision">v0.23.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> </service> - <service name="set_version" mode="disabled"> + <service name="set_version" mode="manual"> <param name="basename">sealed-secrets</param> </service> <service name="tar" mode="buildtime"/> @@ -16,8 +16,8 @@ <param name="file">*.tar</param> <param name="compression">gz</param> </service> - <service name="go_modules" mode="disabled"> - <param name="archive">sealed-secrets-0.23.0.obscpio</param> + <service name="go_modules" mode="manual"> + <param name="archive">sealed-secrets-0.23.1.obscpio</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.tUO87G/_old 2023-09-07 21:14:50.453809275 +0200 +++ /var/tmp/diff_new_pack.tUO87G/_new 2023-09-07 21:14:50.457809418 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/bitnami-labs/sealed-secrets</param> - <param name="changesrevision">ad430d5c2bb7cf8ac53024b49930ddd0ef34390f</param></service></servicedata> + <param name="changesrevision">daa514e978924ee31007b6213783b7e4623a08c1</param></service></servicedata> (No newline at EOF) ++++++ sealed-secrets-0.23.0.obscpio -> sealed-secrets-0.23.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/README.md new/sealed-secrets-0.23.1/README.md --- old/sealed-secrets-0.23.0/README.md 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/README.md 2023-08-17 14:19:21.000000000 +0200 @@ -379,8 +379,9 @@ The `kubeseal` client can be installed on Linux, using the below commands: ```bash -wget https://github.com/bitnami-labs/sealed-secrets/releases/download/<release-tag>/kubeseal-<version>-linux-amd64.tar.gz -tar -xvzf kubeseal-<version>-linux-amd64.tar.gz kubeseal +KUBESEAL_VERSION='' # Set this to, for example, KUBESEAL_VERSION='0.23.0' +wget "https://github.com/bitnami-labs/sealed-secrets/releases/download/v${KUBESEAL_VERSION:?}/kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz"; +tar -xvzf kubeseal-${KUBESEAL_VERSION:?}-linux-amd64.tar.gz kubeseal sudo install -m 755 kubeseal /usr/local/bin/kubeseal ``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/RELEASE-NOTES.md new/sealed-secrets-0.23.1/RELEASE-NOTES.md --- old/sealed-secrets-0.23.0/RELEASE-NOTES.md 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/RELEASE-NOTES.md 2023-08-17 14:19:21.000000000 +0200 @@ -4,6 +4,18 @@ [](https://github.com/bitnami-labs/sealed-secrets/releases/latest) +## v0.23.1 + +### Changelog + +- securityContext adjusted ([#1261](https://github.com/bitnami-labs/sealed-secrets/pull/1261)) +- allow changing the default revisionHistoryLimit ([#1286](https://github.com/bitnami-labs/sealed-secrets/pull/1286)) +- Bump k8s.io/client-go from 0.27.3 to 0.27.4 ([#1277](https://github.com/bitnami-labs/sealed-secrets/pull/1277)) +- Bump k8s.io/code-generator from 0.27.3 to 0.27.4 ([#1278](https://github.com/bitnami-labs/sealed-secrets/pull/1278)) +- Bump github.com/onsi/gomega from 1.27.8 to 1.27.10 ([#1279](https://github.com/bitnami-labs/sealed-secrets/pull/1279)) +- Bump k8s.io/api from 0.27.3 to 0.27.4 ([#1281](https://github.com/bitnami-labs/sealed-secrets/pull/1281)) +- Bump golang.org/x/crypto from 0.11.0 to 0.12.0 ([#1287](https://github.com/bitnami-labs/sealed-secrets/pull/1287) + ## v0.23.0 ### Changelog diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/carvel/package.yaml new/sealed-secrets-0.23.1/carvel/package.yaml --- old/sealed-secrets-0.23.0/carvel/package.yaml 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/carvel/package.yaml 2023-08-17 14:19:21.000000000 +0200 @@ -1,10 +1,10 @@ apiVersion: data.packaging.carvel.dev/v1alpha1 kind: Package metadata: - name: "sealedsecrets.bitnami.com.2.10.0" + name: "sealedsecrets.bitnami.com.2.11.0" spec: refName: "sealedsecrets.bitnami.com" - version: "2.10.0" + version: "2.11.0" valuesSchema: openAPIv3: title: Chart Values @@ -45,7 +45,7 @@ tag: type: string description: Sealed Secrets image tag (immutable tags are recommended) - default: v0.22.0 + default: v0.23.0 pullPolicy: type: string description: Sealed Secrets image pull policy @@ -424,7 +424,7 @@ spec: fetch: - imgpkgBundle: - image: ghcr.io/bitnami-labs/sealed-secrets-carvel:sha256-0c818925ba10ba03f1d7e8b26fa331e42610f957b6891338e2a59e814ec853b5.imgpkg + image: ghcr.io/bitnami-labs/sealed-secrets-carvel:sha256-2fcd014eab7877bba7ec295e928a19ef18ab4d9643bb2dea07a8f9e92ac94e1e.imgpkg template: - helmTemplate: path: sealed-secrets diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/controller-norbac.jsonnet new/sealed-secrets-0.23.1/controller-norbac.jsonnet --- old/sealed-secrets-0.23.0/controller-norbac.jsonnet 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/controller-norbac.jsonnet 2023-08-17 14:19:21.000000000 +0200 @@ -40,6 +40,11 @@ spec+: { securityContext+: { fsGroup: 65534, + runAsNonRoot: true, + runAsUser: 1001, + seccompProfile+: { + type: 'RuntimeDefault', + } }, containers_+: { controller: kube.Container('sealed-secrets-controller') { @@ -54,9 +59,11 @@ http: { containerPort: 8080 }, }, securityContext+: { + allowPrivilegeEscalation: false, + capabilities+: { + drop: [ 'ALL' ], + }, readOnlyRootFilesystem: true, - runAsNonRoot: true, - runAsUser: 1001, }, volumeMounts_+: { tmp: { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/go.mod new/sealed-secrets-0.23.1/go.mod --- old/sealed-secrets-0.23.0/go.mod 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/go.mod 2023-08-17 14:19:21.000000000 +0200 @@ -8,16 +8,16 @@ github.com/mattn/go-isatty v0.0.19 github.com/mkmik/multierror v0.3.0 github.com/onsi/ginkgo/v2 v2.11.0 - github.com/onsi/gomega v1.27.8 + github.com/onsi/gomega v1.27.10 github.com/prometheus/client_golang v1.16.0 github.com/spf13/pflag v1.0.5 github.com/throttled/throttled v2.2.5+incompatible - golang.org/x/crypto v0.11.0 + golang.org/x/crypto v0.12.0 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v0.27.3 - k8s.io/apimachinery v0.27.3 - k8s.io/client-go v0.27.3 - k8s.io/code-generator v0.27.3 + k8s.io/api v0.27.4 + k8s.io/apimachinery v0.27.4 + k8s.io/client-go v0.27.4 + k8s.io/code-generator v0.27.4 k8s.io/klog v1.0.0 k8s.io/klog/v2 v2.100.1 ) @@ -55,11 +55,11 @@ github.com/prometheus/common v0.42.0 // indirect github.com/prometheus/procfs v0.10.1 // indirect golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect + golang.org/x/net v0.12.0 // indirect golang.org/x/oauth2 v0.5.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect + golang.org/x/sys v0.11.0 // indirect + golang.org/x/term v0.11.0 // indirect + golang.org/x/text v0.12.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect golang.org/x/tools v0.9.3 // indirect google.golang.org/appengine v1.6.7 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/go.sum new/sealed-secrets-0.23.1/go.sum --- old/sealed-secrets-0.23.0/go.sum 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/go.sum 2023-08-17 14:19:21.000000000 +0200 @@ -128,8 +128,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= -github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc= -github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -144,7 +144,7 @@ github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= @@ -170,8 +170,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk= +golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= @@ -193,8 +193,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= @@ -216,18 +216,18 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0= +golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44= golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -292,14 +292,14 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y= -k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg= -k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM= -k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= -k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8= -k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48= -k8s.io/code-generator v0.27.3 h1:JRhRQkzKdQhHmv9s5f7vuqveL8qukAQ2IqaHm6MFspM= -k8s.io/code-generator v0.27.3/go.mod h1:DPung1sI5vBgn4AGKtlPRQAyagj/ir/4jI55ipZHVww= +k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= +k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= +k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= +k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= +k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= +k8s.io/code-generator v0.27.4 h1:bw2xFEBnthhCSC7Bt6FFHhPTfWX21IJ30GXxOzywsFE= +k8s.io/code-generator v0.27.4/go.mod h1:DPung1sI5vBgn4AGKtlPRQAyagj/ir/4jI55ipZHVww= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/helm/sealed-secrets/Chart.yaml new/sealed-secrets-0.23.1/helm/sealed-secrets/Chart.yaml --- old/sealed-secrets-0.23.0/helm/sealed-secrets/Chart.yaml 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/helm/sealed-secrets/Chart.yaml 2023-08-17 14:19:21.000000000 +0200 @@ -1,7 +1,7 @@ annotations: category: DeveloperTools apiVersion: v2 -appVersion: v0.22.0 +appVersion: v0.23.0 description: Helm chart for the sealed-secrets controller. home: https://github.com/bitnami-labs/sealed-secrets icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png @@ -14,4 +14,4 @@ url: https://github.com/bitnami-labs/sealed-secrets name: sealed-secrets type: application -version: 2.10.0 +version: 2.11.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/helm/sealed-secrets/README.md new/sealed-secrets-0.23.1/helm/sealed-secrets/README.md --- old/sealed-secrets-0.23.0/helm/sealed-secrets/README.md 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/helm/sealed-secrets/README.md 2023-08-17 14:19:21.000000000 +0200 @@ -85,9 +85,10 @@ | ------------------------------------------------- | -------------------------------------------------------------------------------------- | ----------------------------------- | | `image.registry` | Sealed Secrets image registry | `docker.io` | | `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` | -| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `v0.22.0` | +| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `v0.23.0` | | `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` | | `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` | +| `revisionHistoryLimit` | Number of old history to retain to allow rollback. Default 10 | `""` | | `createController` | Specifies whether the Sealed Secrets controller should be created | `true` | | `secretName` | The name of an existing TLS secret containing the key used to encrypt secrets | `sealed-secrets-key` | | `updateStatus` | Specifies whether the Sealed Secrets controller should update the status subresource | `true` | @@ -95,9 +96,9 @@ | `keyrenewperiod` | Specifies key renewal period. Default 30 days | `""` | | `rateLimit` | Number of allowed sustained request per second for verify endpoint | `""` | | `rateLimitBurst` | Number of requests allowed to exceed the rate limit per second for verify endpoint | `""` | -| `additionalNamespaces` | List of namespaces used to manage the Sealed Secrets | `[]` +| `additionalNamespaces` | List of namespaces used to manage the Sealed Secrets | `[]` | | `privateKeyAnnotations` | Map of annotations to be set on the sealing keypairs | `{}` | -| `privateKeyLabels` | Map of labels to be set on the sealing keypairs | `{}` | +| `privateKeyLabels` | Map of labels to be set on the sealing keypairs | `{}` | | `logInfoStdout` | Specifies whether the Sealed Secrets controller will log info to stdout | `false` | | `command` | Override default container command | `[]` | | `args` | Override default container args | `[]` | @@ -145,45 +146,45 @@ ### Traffic Exposure Parameters -| Name | Description | Value | -| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `service.type` | Sealed Secret service type | `ClusterIP` | -| `service.port` | Sealed Secret service HTTP port | `8080` | -| `service.nodePort` | Node port for HTTP | `""` | -| `service.annotations` | Additional custom annotations for Sealed Secret service | `{}` | -| `ingress.enabled` | Enable ingress record generation for Sealed Secret | `false` | -| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | -| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | -| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress | `""` | -| `ingress.hostname` | Default host for the ingress record | `sealed-secrets.local` | -| `ingress.path` | Default path for the ingress record | `/v1/cert.pem` | -| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | -| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | -| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | -| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | -| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | -| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | -| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | -| `networkPolicy.egress.enabled` | Specifies wheter a egress is set in the NetworkPolicy | `false` | -| `networkPolicy.egress.kubeapiCidr` | Specifies the kubeapiCidr, which is the only egress allowed. If not set, kubeapiCidr will be found using Helm lookup | `""` | -| `networkPolicy.egress.kubeapiPort` | Specifies the kubeapiPort, which is the only egress allowed. If not set, kubeapiPort will be found using Helm lookup | `""` | +| Name | Description | Value | +| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Sealed Secret service type | `ClusterIP` | +| `service.port` | Sealed Secret service HTTP port | `8080` | +| `service.nodePort` | Node port for HTTP | `""` | +| `service.annotations` | Additional custom annotations for Sealed Secret service | `{}` | +| `ingress.enabled` | Enable ingress record generation for Sealed Secret | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress | `""` | +| `ingress.hostname` | Default host for the ingress record | `sealed-secrets.local` | +| `ingress.path` | Default path for the ingress record | `/v1/cert.pem` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | +| `ingress.secrets` | Custom TLS certificates as secrets | `[]` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | +| `networkPolicy.egress.enabled` | Specifies wheter a egress is set in the NetworkPolicy | `false` | +| `networkPolicy.egress.kubeapiCidr` | Specifies the kubeapiCidr, which is the only egress allowed. If not set, kubeapiCidr will be found using Helm lookup | `""` | +| `networkPolicy.egress.kubeapiPort` | Specifies the kubeapiPort, which is the only egress allowed. If not set, kubeapiPort will be found using Helm lookup | `""` | ### Other Parameters -| Name | Description | Value | -| ---------------------------- | ------------------------------------------------------------- | ------------------ | -| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` | -| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` | +| Name | Description | Value | +| ---------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------ | +| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` | +| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` | | `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` | -| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` | -| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | -| `rbac.pspEnabled` | PodSecurityPolicy | `false` | +| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` | +| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | +| `rbac.pspEnabled` | PodSecurityPolicy | `false` | ### Metrics parameters diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/helm/sealed-secrets/templates/deployment.yaml new/sealed-secrets-0.23.1/helm/sealed-secrets/templates/deployment.yaml --- old/sealed-secrets-0.23.0/helm/sealed-secrets/templates/deployment.yaml 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/helm/sealed-secrets/templates/deployment.yaml 2023-08-17 14:19:21.000000000 +0200 @@ -10,6 +10,9 @@ {{- end }} spec: replicas: 1 + {{- if .Values.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- end }} selector: matchLabels: {{- include "sealed-secrets.matchLabels" . | nindent 6 }} template: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/helm/sealed-secrets/values.yaml new/sealed-secrets-0.23.1/helm/sealed-secrets/values.yaml --- old/sealed-secrets-0.23.0/helm/sealed-secrets/values.yaml 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/helm/sealed-secrets/values.yaml 2023-08-17 14:19:21.000000000 +0200 @@ -12,6 +12,7 @@ ## @param namespace Namespace where to deploy the Sealed Secrets controller ## namespace: "" + ## @param extraDeploy [array] Array of extra objects to deploy with the release ## extraDeploy: [] @@ -33,7 +34,7 @@ image: registry: docker.io repository: bitnami/sealed-secrets-controller - tag: v0.22.0 + tag: v0.23.0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -47,6 +48,9 @@ ## - myRegistryKeySecretName ## pullSecrets: [] +## @param revisionHistoryLimit Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) +## e.g: +revisionHistoryLimit: "" ## @param createController Specifies whether the Sealed Secrets controller should be created ## createController: true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/site/content/docs/latest/tutorials/README.md new/sealed-secrets-0.23.1/site/content/docs/latest/tutorials/README.md --- old/sealed-secrets-0.23.0/site/content/docs/latest/tutorials/README.md 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/site/content/docs/latest/tutorials/README.md 2023-08-17 14:19:21.000000000 +0200 @@ -7,6 +7,7 @@ | Tutorial | Description | |-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------| | [Getting started](./getting-started.md) | This guide walks you through the process of deploying Sealed Secrets for your cluster and installing an example Sealed Secrets. | +| [Sealed Secrets controller installation](./install-sealed-secrets.md) | Here we cover the different alternatives to install the Sealed Secrets controller, with special notes for environments with restricted permissions. | Alternatively, if you have a specific goal, but are already familiar with Sealed Secrets, take a look at our [How-to guides](../howto/README.md). These have more in-depth detail and can be applied to a broader set of features. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/site/content/docs/latest/tutorials/install-sealed-secrets.md new/sealed-secrets-0.23.1/site/content/docs/latest/tutorials/install-sealed-secrets.md --- old/sealed-secrets-0.23.0/site/content/docs/latest/tutorials/install-sealed-secrets.md 1970-01-01 01:00:00.000000000 +0100 +++ new/sealed-secrets-0.23.1/site/content/docs/latest/tutorials/install-sealed-secrets.md 2023-08-17 14:19:21.000000000 +0200 @@ -0,0 +1,109 @@ +# Sealed Secrets controller installation + +<!-- START doctoc generated TOC please keep comment here to allow auto update --> +<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> + +- [Assumptions and prerequisites](#assumptions-and-prerequisites) +- [Installing from Manifests](#installing-from-manifests) + - [Installing in a GKE cluster](#installing-in-a-gke-cluster) +- [Installing the Helm Chart](#installing-the-helm-chart) + - [Installing in an Openshift cluster](#installing-in-an-openshift-cluster) +- [Installing the Carvel package](#installing-the-carvel-package) + +<!-- END doctoc generated TOC please keep comment here to allow auto update --> + +## Assumptions and prerequisites + +- You have access to an existing Kubernetes cluster (v1.16+). +- You have [`kubectl`](https://kubernetes.io/docs/tasks/tools/) command-line interface installed and configured to talk to your Kubernetes cluster. +- For the Helm installation, you have the [`helm`](https://helm.sh/docs/intro/install/) (v3.1.0+) command-line interface installed and configured to talk to your Kubernetes cluster. +- For the Carvel installation, you have the [`kapp`](https://carvel.dev/kapp/docs/latest/install/) command-line interface installed and configured to talk to your Kubernetes cluster. + +The controller can be deployed using three different methods: direct yaml manifest installation, helm chart or carvel package. + +## Installing from Manifests + +Sealed secrets controller manifests are available from the [releases page](https://github.com/bitnami-labs/sealed-secrets/releases). You can choose the most convenient deployment for your cluster: + +- `controller.yaml` Is a full manifest description of all the components required for the Sealed Secrets controller to operate. This includes Cluster role permissions and CRD definitions. +- `controller-norbac.yaml` Is a restricted version of the manifest descriptor. This version does not include CRDs nor Cluster roles. + +To install the controller simply type: + +```console +$ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/{{VERSION}}/controller.yaml + +role.rbac.authorization.k8s.io/sealed-secrets-service-proxier created +rolebinding.rbac.authorization.k8s.io/sealed-secrets-controller created +clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets-controller created +serviceaccount/sealed-secrets-controller created +deployment.apps/sealed-secrets-controller created +customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com configured +rolebinding.rbac.authorization.k8s.io/sealed-secrets-service-proxier created +service/sealed-secrets-controller created +role.rbac.authorization.k8s.io/sealed-secrets-key-admin created +clusterrole.rbac.authorization.k8s.io/secrets-unsealer configured +``` + +Where `{{VERSION}}` is the Sealed Secrets latest version (i.e `v0.22.0`). + +Once you deploy the manifest it will create the SealedSecret resource and install the controller into `kube-system` namespace, create a service account and necessary RBAC roles. + +After a few moments, the controller will start, generate a key pair, and be ready for operation. If it does not, check the controller logs. + +### Installing in a GKE cluster + +Installing the controller on GKE clusters without admin rights might be problematic. For that, a `ClusterRoleBinding` will be needed to deploy the controller in the final command. Replace `{{your-email}}` with a valid email, and then deploy the cluster role binding: + +```bash +USER_EMAIL={{your-email}} +kubectl create clusterrolebinding $USER-cluster-admin-binding --clusterrole=cluster-admin --user=$USER_EMAIL +``` + +Please refer to the [GKE how-to](../howto/) for additional instructions on that platform. + +## Installing the Helm Chart + +The Sealed Secrets [Helm chart](https://helm.sh/) is officially supported and hosted in this GitHub repository. +```shell +helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets +helm install sealed-secrets-controller sealed-secrets/sealed-secrets \ +--set namespace=kube-system \ +``` + +> The `kubeseal` CLI assumes that the controller is installed within the `kube-system` namespace by default with a deployment named `sealed-secrets-controller`. The above installation defines the same configuration to avoid unnecessary friction while using kubeseal. + +### Installing in an Openshift cluster + +Openshift installations will require some minor adjustments to comply with the standard Container Security Context restrictions: + +```yaml +containerSecurityContext: + enabled: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: null +podSecurityContext: +``` + +## Installing the Carvel package + +It is also possible to install Sealed Secrets as a [Carvel package](https://carvel.dev/kapp-controller/docs/v0.46.0/packaging/). To do so, you'll need to install `kapp-controller` in the target cluster and then deploy the needed `Package` and `PackageInstall` manifests. + +```console +$ kapp deploy -a kc -f https://github.com/vmware-tanzu/carvel-kapp-controller/releases/latest/download/release.yml + +$ kapp deploy -a sealed-secrets-carvel -f https://raw.githubusercontent.com/bitnami-labs/sealed-secrets/main/carvel/package.yaml +Changes + +Namespace Name Kind Conds. Age Op Op st. Wait to Rs Ri +default sealedsecrets.bitnami.com.2.10.0 Package - - create - reconcile - - +... +Succeeded + +$ kubectl get Package +NAME PACKAGEMETADATA NAME VERSION AGE +sealedsecrets.bitnami.com.2.10.0 sealedsecrets.bitnami.com 2.10.0 18s +``` + +Once the Package is available, it'll be necessary to execute the PackageInstall action, following the [carvel documentation](https://carvel.dev/kapp-controller/docs/v0.35.0/packaging-tutorial/#installing-a-package). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sealed-secrets-0.23.0/site/data/docs/latest-toc.yml new/sealed-secrets-0.23.1/site/data/docs/latest-toc.yml --- old/sealed-secrets-0.23.0/site/data/docs/latest-toc.yml 2023-07-17 12:49:49.000000000 +0200 +++ new/sealed-secrets-0.23.1/site/data/docs/latest-toc.yml 2023-08-17 14:19:21.000000000 +0200 @@ -11,7 +11,8 @@ subfolderitems: - url: /tutorials/getting-started page: Get Started with Sealed Secrets - + - url: /tutorials/install-sealed-secrets + page: Sealed Secrets controller installation - title: How-to guides subfolderitems: - url: /howto/validate-sealed-secrets ++++++ sealed-secrets.obsinfo ++++++ --- /var/tmp/diff_new_pack.tUO87G/_old 2023-09-07 21:14:50.789821286 +0200 +++ /var/tmp/diff_new_pack.tUO87G/_new 2023-09-07 21:14:50.789821286 +0200 @@ -1,5 +1,5 @@ name: sealed-secrets -version: 0.23.0 -mtime: 1689590989 -commit: ad430d5c2bb7cf8ac53024b49930ddd0ef34390f +version: 0.23.1 +mtime: 1692274761 +commit: daa514e978924ee31007b6213783b7e4623a08c1 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kubeseal/vendor.tar.gz /work/SRC/openSUSE:Factory/.kubeseal.new.1766/vendor.tar.gz differ: char 5, line 1
