Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kubeseal for openSUSE:Factory checked in at 2026-02-26 18:52:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kubeseal (Old) and /work/SRC/openSUSE:Factory/.kubeseal.new.29461 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubeseal" Thu Feb 26 18:52:14 2026 rev:44 rq:1335199 version:0.36.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kubeseal/kubeseal.changes 2026-02-18 17:08:47.834133036 +0100 +++ /work/SRC/openSUSE:Factory/.kubeseal.new.29461/kubeseal.changes 2026-02-26 18:53:41.134103900 +0100 @@ -1,0 +2,9 @@ +Thu Feb 26 06:20:36 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.36.0: + * Release Notes 0.36.0 (#1887) + * [Security] Preserve scope during Sealed Secret rotation (#1886) + * [Security] Throw an error in case of inconsistencies in the + Sealed Secrets (#1885) + +------------------------------------------------------------------- Old: ---- kubeseal-0.35.0.obscpio New: ---- kubeseal-0.36.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kubeseal.spec ++++++ --- /var/tmp/diff_new_pack.Dnb5fy/_old 2026-02-26 18:53:46.838341343 +0100 +++ /var/tmp/diff_new_pack.Dnb5fy/_new 2026-02-26 18:53:46.842341510 +0100 @@ -17,7 +17,7 @@ Name: kubeseal -Version: 0.35.0 +Version: 0.36.0 Release: 0 Summary: CLI for encrypting secrets to SealedSecrets License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Dnb5fy/_old 2026-02-26 18:53:46.882343175 +0100 +++ /var/tmp/diff_new_pack.Dnb5fy/_new 2026-02-26 18:53:46.886343341 +0100 @@ -3,7 +3,7 @@ <param name="url">https://github.com/bitnami-labs/sealed-secrets</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.35.0</param> + <param name="revision">v0.36.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Dnb5fy/_old 2026-02-26 18:53:46.930345173 +0100 +++ /var/tmp/diff_new_pack.Dnb5fy/_new 2026-02-26 18:53:46.934345339 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/bitnami-labs/sealed-secrets</param> - <param name="changesrevision">7f8477cf1ebc23f00a23f19e9b776c88bb7ea0c4</param></service></servicedata> + <param name="changesrevision">97e5023c97fa29a5a91706c6d140851fa282bae7</param></service></servicedata> (No newline at EOF) ++++++ kubeseal-0.35.0.obscpio -> kubeseal-0.36.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/RELEASE-NOTES.md new/kubeseal-0.36.0/RELEASE-NOTES.md --- old/kubeseal-0.35.0/RELEASE-NOTES.md 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/RELEASE-NOTES.md 2026-02-25 17:49:13.000000000 +0100 @@ -4,6 +4,13 @@ [](https://github.com/bitnami-labs/sealed-secrets/releases/latest) +## v0.36.0 + +- [Security] Preserve scope during Sealed Secret rotation ([#1886](https://github.com/bitnami-labs/sealed-secrets/pull/1886)) +- [Security] Throw an error in case of inconsistencies in the Sealed Secrets ([#1885](https://github.com/bitnami-labs/sealed-secrets/pull/1885)) +- Bump distroless/static from `972618c` to `d90359c` in /docker ([#1884](https://github.com/bitnami-labs/sealed-secrets/pull/1884)) +- Set up OCI GH to release helm chart ([#1883](https://github.com/bitnami-labs/sealed-secrets/pull/1883)) + ## v0.35.0 - my namespace as key namespace ([#1867](https://github.com/bitnami-labs/sealed-secrets/pull/1867)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/carvel/package.yaml new/kubeseal-0.36.0/carvel/package.yaml --- old/kubeseal-0.35.0/carvel/package.yaml 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/carvel/package.yaml 2026-02-25 17:49:13.000000000 +0100 @@ -1,10 +1,10 @@ apiVersion: data.packaging.carvel.dev/v1alpha1 kind: Package metadata: - name: "sealedsecrets.bitnami.com.2.18.0" + name: "sealedsecrets.bitnami.com.2.18.1" spec: refName: "sealedsecrets.bitnami.com" - version: "2.18.0" + version: "2.18.1" valuesSchema: openAPIv3: title: Chart Values @@ -424,7 +424,7 @@ spec: fetch: - imgpkgBundle: - image: ghcr.io/bitnami-labs/sealed-secrets-carvel@sha256:6d13f40c01e1fa53c6ff8cf26062bee3777989b07215537c9093b6f18562c4c3 + image: ghcr.io/bitnami-labs/sealed-secrets-carvel@sha256:9dd602e7653ef7979a67eeab60bd58fe1059de8cc208d40d5293279bd80f6478 template: - helmTemplate: path: sealed-secrets diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/docker/controller.Dockerfile new/kubeseal-0.36.0/docker/controller.Dockerfile --- old/kubeseal-0.35.0/docker/controller.Dockerfile 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/docker/controller.Dockerfile 2026-02-25 17:49:13.000000000 +0100 @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static@sha256:972618ca78034aaddc55864342014a96b85108c607372f7cbd0dbd1361f1d841 +FROM gcr.io/distroless/static@sha256:d90359c7a3ad67b3c11ca44fd5f3f5208cbef546f2e692b0dc3410a869de46bf LABEL maintainer "Sealed Secrets <[email protected]>" USER 1001 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/docker/kubeseal.Dockerfile new/kubeseal-0.36.0/docker/kubeseal.Dockerfile --- old/kubeseal-0.35.0/docker/kubeseal.Dockerfile 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/docker/kubeseal.Dockerfile 2026-02-25 17:49:13.000000000 +0100 @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static@sha256:972618ca78034aaddc55864342014a96b85108c607372f7cbd0dbd1361f1d841 +FROM gcr.io/distroless/static@sha256:d90359c7a3ad67b3c11ca44fd5f3f5208cbef546f2e692b0dc3410a869de46bf LABEL maintainer "Sealed Secrets <[email protected]>" USER 1001 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/helm/sealed-secrets/Chart.yaml new/kubeseal-0.36.0/helm/sealed-secrets/Chart.yaml --- old/kubeseal-0.35.0/helm/sealed-secrets/Chart.yaml 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/helm/sealed-secrets/Chart.yaml 2026-02-25 17:49:13.000000000 +0100 @@ -1,7 +1,7 @@ annotations: category: DeveloperTools apiVersion: v2 -appVersion: 0.34.0 +appVersion: 0.35.0 description: Helm chart for the sealed-secrets controller. home: https://github.com/bitnami-labs/sealed-secrets icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png @@ -14,6 +14,6 @@ url: https://github.com/bitnami-labs/sealed-secrets name: sealed-secrets type: application -version: 2.18.0 +version: 2.18.1 sources: - https://github.com/bitnami-labs/sealed-secrets diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/helm/sealed-secrets/README.md new/kubeseal-0.36.0/helm/sealed-secrets/README.md --- old/kubeseal-0.35.0/helm/sealed-secrets/README.md 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/helm/sealed-secrets/README.md 2026-02-25 17:49:13.000000000 +0100 @@ -86,7 +86,7 @@ | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | | `image.registry` | Sealed Secrets image registry | `docker.io` | | `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` | -| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.34.0` | +| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.35.0` | | `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` | | `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` | | `revisionHistoryLimit` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) | `""` | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/helm/sealed-secrets/values.yaml new/kubeseal-0.36.0/helm/sealed-secrets/values.yaml --- old/kubeseal-0.35.0/helm/sealed-secrets/values.yaml 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/helm/sealed-secrets/values.yaml 2026-02-25 17:49:13.000000000 +0100 @@ -39,7 +39,7 @@ image: registry: docker.io repository: bitnami/sealed-secrets-controller - tag: 0.34.0 + tag: 0.35.0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/pkg/controller/controller.go new/kubeseal-0.36.0/pkg/controller/controller.go --- old/kubeseal-0.35.0/pkg/controller/controller.go 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/pkg/controller/controller.go 2026-02-25 17:49:13.000000000 +0100 @@ -568,6 +568,13 @@ switch s := object.(type) { case *ssv1alpha1.SealedSecret: + // Verify metainformation is well set up in Template ObjectMeta and ObjectMeta to avoid unconsistences with the scope during the rotate. + // This is going to keep the original scope. + if !reflect.DeepEqual(s.ObjectMeta, s.Spec.Template.ObjectMeta) { + s.ObjectMeta.DeepCopyInto(&s.Spec.Template.ObjectMeta) + slog.Warn("Sealed Secret metadata doesn't match. Please align your Sealed Secret metadata") + } + secret, err := c.attemptUnseal(s) if err != nil { return nil, fmt.Errorf("error decrypting secret. %v", err) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.35.0/pkg/controller/controller_test.go new/kubeseal-0.36.0/pkg/controller/controller_test.go --- old/kubeseal-0.35.0/pkg/controller/controller_test.go 2026-02-12 11:19:05.000000000 +0100 +++ new/kubeseal-0.36.0/pkg/controller/controller_test.go 2026-02-25 17:49:13.000000000 +0100 @@ -3,15 +3,22 @@ import ( "context" "crypto/rand" + "crypto/rsa" "errors" "fmt" "testing" + "time" + + "encoding/json" ssv1alpha1 "github.com/bitnami-labs/sealed-secrets/pkg/apis/sealedsecrets/v1alpha1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + runtimeserializer "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/fake" + "k8s.io/client-go/kubernetes/scheme" ssfake "github.com/bitnami-labs/sealed-secrets/pkg/client/clientset/versioned/fake" ) @@ -227,3 +234,167 @@ } return keyRegistry } + +func prettyEncoder(codecs runtimeserializer.CodecFactory, mediaType string, gv runtime.GroupVersioner) (runtime.Encoder, error) { + info, ok := runtime.SerializerInfoForMediaType(codecs.SupportedMediaTypes(), mediaType) + if !ok { + return nil, fmt.Errorf("binary can't serialize %s", mediaType) + } + + prettyEncoder := info.PrettySerializer + if prettyEncoder == nil { + prettyEncoder = info.Serializer + } + + enc := codecs.EncoderForVersion(prettyEncoder, gv) + return enc, nil +} + +func TestRotate(t *testing.T) { + ns := "some-namespace" + keyNs := "some-key-namespace" + var tweakopts func(*metav1.ListOptions) + clientset := fake.NewClientset() + ssc := ssfake.NewSimpleClientset() + keyRegistry := testKeyRegister(t, context.Background(), clientset, ns) + + // Add a key to the controller for second test + validFor := time.Hour + cn := "my-cn" + _, err := keyRegistry.generateKey(context.Background(), validFor, cn, "", "") + if err != nil { + t.Fatal(err) + } + + controller, err := prepareController(clientset, ns, keyNs, tweakopts, &Flags{SkipRecreate: false}, ssc, keyRegistry) + if err != nil { + t.Fatalf("err %v want %v", err, nil) + } + if controller == nil { + t.Fatalf("ctrl %v want non nil", controller) + } + if controller.sInformer == nil { + t.Fatalf("sInformer %v want non nil", controller.sInformer) + } + + secret := &corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "ss", + Namespace: "default", + }, + Data: map[string][]byte{ + // dGVtcG9yYWw= is base64 for "temporal" + "password": []byte("temporal"), + }, + } + + cert, err := controller.keyRegistry.getCert() + if err != nil { + t.Fatalf("error getting certificate: %v", err) + } + + ssecret, err := ssv1alpha1.NewSealedSecret(scheme.Codecs, cert.PublicKey.(*rsa.PublicKey), secret) + if err != nil { + t.Fatalf("error creating sealed secrets: %v", err) + } + + prettyEnc, err := prettyEncoder(scheme.Codecs, runtime.ContentTypeYAML, ssv1alpha1.SchemeGroupVersion) + if err != nil { + t.Fatalf("unexpected pretty encoding: %v", err) + } + + data, err := runtime.Encode(prettyEnc, ssecret) + if err != nil { + t.Fatalf("unexpected encoding the sealed secret: %v", err) + } + + got, err := controller.Rotate(data) + if err != nil { + t.Fatalf("unexpected failure converting to a sealed secret: %v", err) + } + if string(got) == string(data) { + t.Fatalf("got %v want %v", string(got), string(data)) + } +} + +func TestRotateKeepScope(t *testing.T) { + ns := "some-namespace" + keyNs := "some-key-namespace" + var tweakopts func(*metav1.ListOptions) + clientset := fake.NewClientset() + ssc := ssfake.NewSimpleClientset() + keyRegistry := testKeyRegister(t, context.Background(), clientset, ns) + + // Add a key to the controller for second test + validFor := time.Hour + cn := "my-cn" + _, err := keyRegistry.generateKey(context.Background(), validFor, cn, "", "") + if err != nil { + t.Fatal(err) + } + + controller, err := prepareController(clientset, ns, keyNs, tweakopts, &Flags{SkipRecreate: false}, ssc, keyRegistry) + if err != nil { + t.Fatalf("err %v want %v", err, nil) + } + if controller == nil { + t.Fatalf("ctrl %v want non nil", controller) + } + if controller.sInformer == nil { + t.Fatalf("sInformer %v want non nil", controller.sInformer) + } + + secret := &corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "ss", + Namespace: "default", + }, + Data: map[string][]byte{ + // dGVtcG9yYWw= is base64 for "temporal" + "password": []byte("temporal"), + }, + } + + cert, err := controller.keyRegistry.getCert() + if err != nil { + t.Fatalf("error getting certificate: %v", err) + } + + ssecret, err := ssv1alpha1.NewSealedSecret(scheme.Codecs, cert.PublicKey.(*rsa.PublicKey), secret) + if err != nil { + t.Fatalf("error creating sealed secrets: %v", err) + } + ssecret.Spec.Template.ObjectMeta.Annotations = map[string]string{ssv1alpha1.SealedSecretClusterWideAnnotation: "true"} + + prettyEnc, err := prettyEncoder(scheme.Codecs, runtime.ContentTypeJSON, ssv1alpha1.SchemeGroupVersion) + if err != nil { + t.Fatalf("unexpected pretty encoding: %v", err) + } + + data, err := runtime.Encode(prettyEnc, ssecret) + if err != nil { + t.Fatalf("unexpected encoding the sealed secret: %v", err) + } + + out, err := controller.Rotate(data) + if err != nil { + t.Fatalf("expected failure is not hit") + } + + s := &ssv1alpha1.SealedSecret{} + if err = json.Unmarshal(out, s); err != nil { + t.Fatalf("error unmarshalling the rotate sealed secret") + } + + if ssv1alpha1.SecretScope(s) != ssv1alpha1.SecretScope(ssecret) { + t.Fatalf("Scope from the original and the rotate sealed secret do not match") + } +} ++++++ kubeseal.obsinfo ++++++ --- /var/tmp/diff_new_pack.Dnb5fy/_old 2026-02-26 18:53:47.590372647 +0100 +++ /var/tmp/diff_new_pack.Dnb5fy/_new 2026-02-26 18:53:47.602373147 +0100 @@ -1,5 +1,5 @@ name: kubeseal -version: 0.35.0 -mtime: 1770891545 -commit: 7f8477cf1ebc23f00a23f19e9b776c88bb7ea0c4 +version: 0.36.0 +mtime: 1772038153 +commit: 97e5023c97fa29a5a91706c6d140851fa282bae7 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kubeseal/vendor.tar.gz /work/SRC/openSUSE:Factory/.kubeseal.new.29461/vendor.tar.gz differ: char 151, line 1
