Skip to content

Commit

Permalink
Release chart 2.15.0 (#1465)
Browse files Browse the repository at this point in the history 
Signed-off-by: Alejandro Moreno <amorenoc@vmware.com>
  • Loading branch information
@alemorcuq
alemorcuq committed Feb 15, 2024
1 parent c4985c0 commit d69b8ec
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 28 deletions.
4 changes: 2 additions & 2 deletions helm/sealed-secrets/Chart.yaml
View file
@@ -1,7 +1,7 @@
annotations:
category: DeveloperTools
apiVersion: v2
appVersion: 0.25.0
appVersion: 0.26.0
description: Helm chart for the sealed-secrets controller.
home: https://github.com/bitnami-labs/sealed-secrets
icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png
Expand All @@ -14,6 +14,6 @@ maintainers:
url: https://github.com/bitnami-labs/sealed-secrets
name: sealed-secrets
type: application
version: 2.14.2
version: 2.15.0
sources:
- https://github.com/bitnami-labs/sealed-secrets
44 changes: 22 additions & 22 deletions helm/sealed-secrets/README.md
View file
Expand Up @@ -79,15 +79,14 @@ The command removes all the Kubernetes components associated with the chart and
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
| `commonAnnotations` | Annotations to add to all deployed resources | `{}` |
| `commonLabels` | Labels to add to all deployed resources | `{}` |
| `rbac.serviceProxier` | Configure who is able to access the SealedSecrets service. This may have security implications so the options should be reviewed carefully. | See [Other Parameters](#other-parameters) |

### Sealed Secrets Parameters

| Name | Description | Value |
| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------- |
| `image.registry` | Sealed Secrets image registry | `docker.io` |
| `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` |
| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.25.0` |
| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.26.0` |
| `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` |
| `revisionHistoryLimit` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) | `""` |
Expand All @@ -102,8 +101,8 @@ The command removes all the Kubernetes components associated with the chart and
| `privateKeyAnnotations` | Map of annotations to be set on the sealing keypairs | `{}` |
| `privateKeyLabels` | Map of labels to be set on the sealing keypairs | `{}` |
| `logInfoStdout` | Specifies whether the Sealed Secrets controller will log info to stdout | `false` |
| `logLevel` | Specifies log level of controller (INFO,ERROR) | `""` |
| `logFormat` | Specifies log format (text,json) | `""` |
| `logLevel` | Specifies log level of controller (INFO,ERROR) | `""` |
| `logFormat` | Specifies log format (text,json) | `""` |
| `command` | Override default container command | `[]` |
| `args` | Override default container args | `[]` |
| `livenessProbe.enabled` | Enable livenessProbe on Sealed Secret containers | `true` |
Expand Down Expand Up @@ -176,24 +175,25 @@ The command removes all the Kubernetes components associated with the chart and

### Other Parameters

| Name | Description | Value |
| ---------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------ |
| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` |
| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` |
| `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` |
| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |
| `rbac.serviceProxier.create` | Specifies whether to create the "service proxier" role, to allow access to the SealedSecret API | `true` |
| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "service proxier" role | `true` |
| `rbac.serviceProxier.subjects` | Specifies the Subjects to grant the "service proxier" role to, in the created RoleBinding. Using this chart's default value that grants access to the `system:authenticated` group is [discouraged in GKE][gkebp] | `"[{"apiGroup": "rbac.authorization.k8s.io", "kind": "Group", "name": "system:authenticated"}]"` |

[gkebp]: https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#default-roles-groups
| Name | Description | Value |
| ------------------------------ | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` |
| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` |
| `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` |
| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |
| `rbac.serviceProxier.create` | Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API | `true` |
| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "proxier" role | `true` |
| `rbac.serviceProxier.subjects` | Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding | `- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
` |

### Metrics parameters

Expand Down
8 changes: 4 additions & 4 deletions helm/sealed-secrets/values.yaml
View file
Expand Up @@ -39,7 +39,7 @@ commonLabels: {}
image:
registry: docker.io
repository: bitnami/sealed-secrets-controller
tag: 0.25.0
tag: 0.26.0
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
Expand Down Expand Up @@ -408,13 +408,13 @@ rbac:
## "Proxier" RBAC Role configuration
##
serviceProxier:
## @param create Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API
## @param rbac.serviceProxier.create Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API
##
create: true
## @param bind Specifies whether to create a RoleBinding for the "proxier" role
## @param rbac.serviceProxier.bind Specifies whether to create a RoleBinding for the "proxier" role
##
bind: true
## @param subjects Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding
## @param rbac.serviceProxier.subjects Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding
## It is best to change this to something narrower, as the default binding gives `system:authenticated` access, which is very broad
##
subjects: |
Expand Down

0 comments on commit d69b8ec

Please sign in to comment.