From d69b8ec96dd2a54cdb46571c3db651e72a848eb6 Mon Sep 17 00:00:00 2001 From: Alejandro Moreno Date: Thu, 15 Feb 2024 15:36:08 +0100 Subject: [PATCH] Release chart 2.15.0 (#1465) Signed-off-by: Alejandro Moreno --- helm/sealed-secrets/Chart.yaml | 4 +-- helm/sealed-secrets/README.md | 44 ++++++++++++++++----------------- helm/sealed-secrets/values.yaml | 8 +++--- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/helm/sealed-secrets/Chart.yaml b/helm/sealed-secrets/Chart.yaml index d3b5077e6..7f8cf82a3 100644 --- a/helm/sealed-secrets/Chart.yaml +++ b/helm/sealed-secrets/Chart.yaml @@ -1,7 +1,7 @@ annotations: category: DeveloperTools apiVersion: v2 -appVersion: 0.25.0 +appVersion: 0.26.0 description: Helm chart for the sealed-secrets controller. home: https://github.com/bitnami-labs/sealed-secrets icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png @@ -14,6 +14,6 @@ maintainers: url: https://github.com/bitnami-labs/sealed-secrets name: sealed-secrets type: application -version: 2.14.2 +version: 2.15.0 sources: - https://github.com/bitnami-labs/sealed-secrets diff --git a/helm/sealed-secrets/README.md b/helm/sealed-secrets/README.md index 705ede7c9..7ea89d1b5 100644 --- a/helm/sealed-secrets/README.md +++ b/helm/sealed-secrets/README.md @@ -79,7 +79,6 @@ The command removes all the Kubernetes components associated with the chart and | `extraDeploy` | Array of extra objects to deploy with the release | `[]` | | `commonAnnotations` | Annotations to add to all deployed resources | `{}` | | `commonLabels` | Labels to add to all deployed resources | `{}` | -| `rbac.serviceProxier` | Configure who is able to access the SealedSecrets service. This may have security implications so the options should be reviewed carefully. | See [Other Parameters](#other-parameters) | ### Sealed Secrets Parameters @@ -87,7 +86,7 @@ The command removes all the Kubernetes components associated with the chart and | ------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------- | | `image.registry` | Sealed Secrets image registry | `docker.io` | | `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` | -| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.25.0` | +| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.26.0` | | `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` | | `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` | | `revisionHistoryLimit` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) | `""` | @@ -102,8 +101,8 @@ The command removes all the Kubernetes components associated with the chart and | `privateKeyAnnotations` | Map of annotations to be set on the sealing keypairs | `{}` | | `privateKeyLabels` | Map of labels to be set on the sealing keypairs | `{}` | | `logInfoStdout` | Specifies whether the Sealed Secrets controller will log info to stdout | `false` | -| `logLevel` | Specifies log level of controller (INFO,ERROR) | `""` | -| `logFormat` | Specifies log format (text,json) | `""` | +| `logLevel` | Specifies log level of controller (INFO,ERROR) | `""` | +| `logFormat` | Specifies log format (text,json) | `""` | | `command` | Override default container command | `[]` | | `args` | Override default container args | `[]` | | `livenessProbe.enabled` | Enable livenessProbe on Sealed Secret containers | `true` | @@ -176,24 +175,25 @@ The command removes all the Kubernetes components associated with the chart and ### Other Parameters -| Name | Description | Value | -| ---------------------------- | -------------------------------------------------------------------------------------------------------- | ------------------ | -| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` | -| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` | -| `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` | -| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` | -| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | -| `rbac.pspEnabled` | PodSecurityPolicy | `false` | -| `rbac.serviceProxier.create` | Specifies whether to create the "service proxier" role, to allow access to the SealedSecret API | `true` | -| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "service proxier" role | `true` | -| `rbac.serviceProxier.subjects` | Specifies the Subjects to grant the "service proxier" role to, in the created RoleBinding. Using this chart's default value that grants access to the `system:authenticated` group is [discouraged in GKE][gkebp] | `"[{"apiGroup": "rbac.authorization.k8s.io", "kind": "Group", "name": "system:authenticated"}]"` | - -[gkebp]: https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#default-roles-groups +| Name | Description | Value | +| ------------------------------ | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| `serviceAccount.annotations` | Annotations for Sealed Secret service account | `{}` | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `rbac.clusterRole` | Specifies whether the Cluster Role resource should be created | `true` | +| `rbac.clusterRoleName` | Specifies the name for the Cluster Role resource | `secrets-unsealer` | +| `rbac.namespacedRoles` | Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces) | `false` | +| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` | +| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | +| `rbac.pspEnabled` | PodSecurityPolicy | `false` | +| `rbac.serviceProxier.create` | Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API | `true` | +| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "proxier" role | `true` | +| `rbac.serviceProxier.subjects` | Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding | `- apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated +` | ### Metrics parameters diff --git a/helm/sealed-secrets/values.yaml b/helm/sealed-secrets/values.yaml index 05b2edf35..6e053350b 100644 --- a/helm/sealed-secrets/values.yaml +++ b/helm/sealed-secrets/values.yaml @@ -39,7 +39,7 @@ commonLabels: {} image: registry: docker.io repository: bitnami/sealed-secrets-controller - tag: 0.25.0 + tag: 0.26.0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -408,13 +408,13 @@ rbac: ## "Proxier" RBAC Role configuration ## serviceProxier: - ## @param create Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API + ## @param rbac.serviceProxier.create Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API ## create: true - ## @param bind Specifies whether to create a RoleBinding for the "proxier" role + ## @param rbac.serviceProxier.bind Specifies whether to create a RoleBinding for the "proxier" role ## bind: true - ## @param subjects Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding + ## @param rbac.serviceProxier.subjects Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding ## It is best to change this to something narrower, as the default binding gives `system:authenticated` access, which is very broad ## subjects: |