Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kubeseal for openSUSE:Factory checked in at 2026-03-13 21:16:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kubeseal (Old) and /work/SRC/openSUSE:Factory/.kubeseal.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kubeseal" Fri Mar 13 21:16:18 2026 rev:45 rq:1338601 version:0.36.1 Changes: -------- --- /work/SRC/openSUSE:Factory/kubeseal/kubeseal.changes 2026-02-26 18:53:41.134103900 +0100 +++ /work/SRC/openSUSE:Factory/.kubeseal.new.8177/kubeseal.changes 2026-03-13 21:16:43.073079526 +0100 @@ -1,0 +2,16 @@ +Fri Mar 13 06:09:00 UTC 2026 - Johannes Kastl <[email protected]> + +- Update to version 0.36.1: + * Release notes for 0.36.1 (#1916) + * Doc/issue 501 all namespaces (#1900) + * Bump go 1.26.1 (#1914) + * Update actions/setup-go to v6.2.0 (#1906) + * fix: explicitly specify TCP protocol for helm SSA compatibility + (#692) (#1901) + * docs: document GKE Warden and RBAC restrictions (#1892) + * Bump k8s.io/klog/v2 from 2.130.1 to 2.140.0 (#1913) + * chore: remove note about deprecation of helm chart. (#1902) + * Bump k8s.io/code-generator from 0.35.1 to 0.35.2 (#1909) + * Bump k8s.io/client-go from 0.35.1 to 0.35.2 (#1908) + +------------------------------------------------------------------- Old: ---- kubeseal-0.36.0.obscpio New: ---- kubeseal-0.36.1.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kubeseal.spec ++++++ --- /var/tmp/diff_new_pack.XfEaai/_old 2026-03-13 21:16:44.481138006 +0100 +++ /var/tmp/diff_new_pack.XfEaai/_new 2026-03-13 21:16:44.485138172 +0100 @@ -17,14 +17,14 @@ Name: kubeseal -Version: 0.36.0 +Version: 0.36.1 Release: 0 Summary: CLI for encrypting secrets to SealedSecrets License: Apache-2.0 URL: https://github.com/bitnami-labs/sealed-secrets Source: %{name}-%{version}.tar.gz Source1: vendor.tar.gz -BuildRequires: go1.25 >= 1.25.7 +BuildRequires: go1.26 >= 1.26.1 %description Problem: "I can manage all my K8s config in git, except Secrets." ++++++ _service ++++++ --- /var/tmp/diff_new_pack.XfEaai/_old 2026-03-13 21:16:44.521139668 +0100 +++ /var/tmp/diff_new_pack.XfEaai/_new 2026-03-13 21:16:44.529139999 +0100 @@ -1,9 +1,9 @@ <services> <service name="obs_scm" mode="manual"> - <param name="url">https://github.com/bitnami-labs/sealed-secrets</param> + <param name="url">https://github.com/bitnami-labs/sealed-secrets.git</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.36.0</param> + <param name="revision">v0.36.1</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.XfEaai/_old 2026-03-13 21:16:44.581142160 +0100 +++ /var/tmp/diff_new_pack.XfEaai/_new 2026-03-13 21:16:44.589142492 +0100 @@ -1,6 +1,8 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/bitnami-labs/sealed-secrets</param> - <param name="changesrevision">97e5023c97fa29a5a91706c6d140851fa282bae7</param></service></servicedata> + <param name="changesrevision">97e5023c97fa29a5a91706c6d140851fa282bae7</param></service><service name="tar_scm"> + <param name="url">https://github.com/bitnami-labs/sealed-secrets.git</param> + <param name="changesrevision">94bd9538c8770a5a051d5c0d5f9936f968933dad</param></service></servicedata> (No newline at EOF) ++++++ kubeseal-0.36.0.obscpio -> kubeseal-0.36.1.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/README.md new/kubeseal-0.36.1/README.md --- old/kubeseal-0.36.0/README.md 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/README.md 2026-03-12 13:30:54.000000000 +0100 @@ -20,28 +20,36 @@ <!-- START doctoc generated TOC please keep comment here to allow auto update --> <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> + - [Overview](#overview) - [SealedSecrets as templates for secrets](#sealedsecrets-as-templates-for-secrets) - [Public key / Certificate](#public-key--certificate) - [Scopes](#scopes) - [Installation](#installation) + - [Installation in Restricted Environments (No RBAC)](#installation-in-restricted-environments-no-rbac) - [Controller](#controller) - [Kustomize](#kustomize) - [Helm Chart](#helm-chart) + - [Helm Chart on a restricted environment](#helm-chart-on-a-restricted-environment) - [Kubeseal](#kubeseal) - [Homebrew](#homebrew) - [MacPorts](#macports) + - [Nixpkgs](#nixpkgs) - [Linux](#linux) - [Installation from source](#installation-from-source) - [Upgrade](#upgrade) + - [Supported Versions](#supported-versions) + - [Compatibility with Kubernetes versions](#compatibility-with-kubernetes-versions) - [Usage](#usage) - [Managing existing secrets](#managing-existing-secrets) - [Patching existing secrets](#patching-existing-secrets) + - [Seal secret which can skip set owner references](#seal-secret-which-can-skip-set-owner-references) - [Update existing secrets](#update-existing-secrets) - [Raw mode (experimental)](#raw-mode-experimental) - [Validate a Sealed Secret](#validate-a-sealed-secret) - [Secret Rotation](#secret-rotation) - [Sealing key renewal](#sealing-key-renewal) + - [Key registry init priority order](#key-registry-init-priority-order) - [User secret rotation](#user-secret-rotation) - [Early key renewal](#early-key-renewal) - [Common misconceptions about key renewal](#common-misconceptions-about-key-renewal) @@ -51,6 +59,7 @@ - [Crypto](#crypto) - [Developing](#developing) - [FAQ](#faq) + - [Can I encrypt multiple secrets at once, in one YAML / JSON file?](#can-i-encrypt-multiple-secrets-at-once-in-one-yaml--json-file) - [Will you still be able to decrypt if you no longer have access to your cluster?](#will-you-still-be-able-to-decrypt-if-you-no-longer-have-access-to-your-cluster) - [How can I do a backup of my SealedSecrets?](#how-can-i-do-a-backup-of-my-sealedsecrets) - [Can I decrypt my secrets offline with a backup key?](#can-i-decrypt-my-secrets-offline-with-a-backup-key) @@ -59,9 +68,9 @@ - [Can I bring my own (pre-generated) certificates?](#can-i-bring-my-own-pre-generated-certificates) - [How to use kubeseal if the controller is not running within the `kube-system` namespace?](#how-to-use-kubeseal-if-the-controller-is-not-running-within-the-kube-system-namespace) - [How to verify the images?](#how-to-verify-the-images) - - [How to use one controller for a subset of namespaces](#How-to-use-one-controller-for-a-subset-of-namespaces) - - [Can I configure the controller unseal retries](#can-i-configure-the-controller-unseal-retries) - + - [How to use one controller for a subset of namespaces](#how-to-use-one-controller-for-a-subset-of-namespaces) + - [Can I configure the Controller unseal retries?](#can-i-configure-the-controller-unseal-retries) + - [How to manage SealedSecrets across the cluster or specific namespaces?](#how-to-manage-sealedsecrets-across-the-cluster-or-specific-namespaces) - [Community](#community) - [Related projects](#related-projects) @@ -260,6 +269,16 @@ - [GKE](docs/GKE.md) +### Installation in Restricted Environments (No RBAC) + +In environments where you lack permissions to create cluster-wide RBAC resources (like `ClusterRoles`), you can use the **`controller-norbac.yaml`** manifest available on the Releases page. + +This version is a minimal deployment that includes only the **Deployment**, **Service**, and **CustomResourceDefinition**. It intentionally omits `ServiceAccount`, `ClusterRole`, and `ClusterRoleBinding`. + +**Requirements:** +1. A cluster administrator must have already installed the SealedSecret CRDs. +2. You must have an allocated Service Account to run the deployment + ### Controller Once you deploy the manifest it will create the `SealedSecret` resource @@ -298,8 +317,6 @@ There can be thus multiple revisions of the helm chart, with fixes that apply only to the helm chart without affecting the static YAML manifests or the controller image itself. -> NOTE: The helm chart readme still contains a deprecation notice, but it no longer reflects reality and will be removed upon the next release. - > NOTE: The helm chart by default installs the controller with the name > `sealed-secrets`, while the `kubeseal` command line interface (CLI) tries to > access the controller with the name `sealed-secrets-controller`. You can > explicitly pass `--controller-name` to the CLI: ```bash @@ -843,6 +860,14 @@ The answer is yes, you can configure the number of retries in your controller using the flag `--max-unseal-retries`. This flag allows you to configure the number of maximum retries to unseal your Sealed Secrets. +### How to manage SealedSecrets across the cluster or specific namespaces? + +By default, the controller watches for `SealedSecret` resources across **all namespaces** using the `--all-namespaces` flag (which defaults to `true`). + +If you need to restrict the controller's scope, you have two options: +- **Watch a subset of namespaces:** Use the `--additional-namespaces=<ns1>,<ns2>` flag to provide a comma-separated list of namespaces for the controller to manage. +- **Watch only the local namespace:** Set `--all-namespaces=false` (or the environment variable `SEALED_SECRETS_ALL_NAMESPACES=false`). This is useful for multi-tenant clusters where you want isolated controllers with independent sealing keys in each namespace. + ## Community - [#sealed-secrets on Kubernetes Slack](https://kubernetes.slack.com/messages/sealed-secrets) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/RELEASE-NOTES.md new/kubeseal-0.36.1/RELEASE-NOTES.md --- old/kubeseal-0.36.0/RELEASE-NOTES.md 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/RELEASE-NOTES.md 2026-03-12 13:30:54.000000000 +0100 @@ -4,6 +4,20 @@ [](https://github.com/bitnami-labs/sealed-secrets/releases/latest) +## v0.36.1 + +- Doc/issue 501 all namespaces ([#1900](https://github.com/bitnami-labs/sealed-secrets/pull/1900)) +- Bump go 1.26.1 ([#1914](https://github.com/bitnami-labs/sealed-secrets/pull/1914)) +- Update actions/setup-go to v6.2.0 ([#1906](https://github.com/bitnami-labs/sealed-secrets/pull/1906)) +- fix: explicitly specify TCP protocol for helm SSA compatibility (#692) ([#1901](https://github.com/bitnami-labs/sealed-secrets/pull/1901)) +- docs: document GKE Warden and RBAC restrictions ([#1892](https://github.com/bitnami-labs/sealed-secrets/pull/1892)) +- Bump k8s.io/klog/v2 from 2.130.1 to 2.140.0 ([#1913](https://github.com/bitnami-labs/sealed-secrets/pull/1913)) +- chore: remove note about deprecation of helm chart. ([#1902](https://github.com/bitnami-labs/sealed-secrets/pull/1902)) +- Bump k8s.io/code-generator from 0.35.1 to 0.35.2 ([#1909](https://github.com/bitnami-labs/sealed-secrets/pull/1909)) +- Bump k8s.io/client-go from 0.35.1 to 0.35.2 ([#1908](https://github.com/bitnami-labs/sealed-secrets/pull/1908)) +- Bump distroless/static from `d90359c` to `28efbe9` in /docker ([#1912](https://github.com/bitnami-labs/sealed-secrets/pull/1912)) +- Fix oci push action ([#1899](https://github.com/bitnami-labs/sealed-secrets/pull/1899)) + ## v0.36.0 - [Security] Preserve scope during Sealed Secret rotation ([#1886](https://github.com/bitnami-labs/sealed-secrets/pull/1886)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/docker/controller.Dockerfile new/kubeseal-0.36.1/docker/controller.Dockerfile --- old/kubeseal-0.36.0/docker/controller.Dockerfile 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/docker/controller.Dockerfile 2026-03-12 13:30:54.000000000 +0100 @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static@sha256:d90359c7a3ad67b3c11ca44fd5f3f5208cbef546f2e692b0dc3410a869de46bf +FROM gcr.io/distroless/static@sha256:28efbe90d0b2f2a3ee465cc5b44f3f2cf5533514cf4d51447a977a5dc8e526d0 LABEL maintainer "Sealed Secrets <[email protected]>" USER 1001 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/docker/kubeseal.Dockerfile new/kubeseal-0.36.1/docker/kubeseal.Dockerfile --- old/kubeseal-0.36.0/docker/kubeseal.Dockerfile 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/docker/kubeseal.Dockerfile 2026-03-12 13:30:54.000000000 +0100 @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static@sha256:d90359c7a3ad67b3c11ca44fd5f3f5208cbef546f2e692b0dc3410a869de46bf +FROM gcr.io/distroless/static@sha256:28efbe90d0b2f2a3ee465cc5b44f3f2cf5533514cf4d51447a977a5dc8e526d0 LABEL maintainer "Sealed Secrets <[email protected]>" USER 1001 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/docs/GKE.md new/kubeseal-0.36.1/docs/GKE.md --- old/kubeseal-0.36.0/docs/GKE.md 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/docs/GKE.md 2026-03-12 13:30:54.000000000 +0100 @@ -1,3 +1,19 @@ +<!-- START doctoc generated TOC please keep comment here to allow auto update --> +<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> +**Table of Contents** *generated with [DocToc](https://github.com/thlorenz/doctoc)* + +- [GKE](#gke) + - [Install](#install) + - [Private GKE clusters](#private-gke-clusters) + - [Offline sealing](#offline-sealing) + - [Control Plane to Node firewall](#control-plane-to-node-firewall) +- [RBAC and GKE Warden Restrictions](#rbac-and-gke-warden-restrictions) +- [Workarounds](#workarounds) + - [Option 1: Disable the service-proxier (Simplest)](#option-1-disable-the-service-proxier-simplest) + - [Option 2: Use Google Groups for RBAC (Recommended)](#option-2-use-google-groups-for-rbac-recommended) + +<!-- END doctoc generated TOC please keep comment here to allow auto update --> + # GKE ## Install @@ -93,3 +109,65 @@ --target-tags "$NETWORK_TARGET_TAG" \ --priority 1000 ``` +# RBAC and GKE Warden Restrictions + +On GKE clusters running version `1.32.2-gke.1182003` or later, the **GKE +Warden admission webhook** strictly forbids binding any `Role` or +`ClusterRole` to the `system:authenticated` group. + +By default, the `sealed-secrets` Helm chart binds the `service-proxier` +role to this group to allow `kubeseal` to communicate with the +controller and fetch the public key. + +On modern GKE versions, this default configuration will cause the +installation to fail with the following error: + +``` text +admission webhook "warden-validating.common-webhooks.networking.gke.io" denied the request: +GKE Warden rejected the request because it violates one or more constraints. +Violations details: +{"[denied by rbac-binding-limitation]":["Binding any Role or ClusterRole to Group \"system:authenticated\" is forbidden."]} +``` + +------------------------------------------------------------------------ + +# Workarounds + +To successfully deploy on GKE, you must override the default +`serviceProxier` settings in your `values.yaml`. + +------------------------------------------------------------------------ + +## Option 1: Disable the service-proxier (Simplest) + +If you do not need the `kubeseal --fetch-cert` functionality through the +proxier, you can disable its creation entirely: + +``` yaml +rbac: + serviceProxier: + create: false +``` + +------------------------------------------------------------------------ + +## Option 2: Use Google Groups for RBAC (Recommended) + +For a more secure setup, bind the proxier role to a specific restricted +Google Group instead of the broad `system:authenticated` group. + +This requires: + +1. Setting up Google Groups for RBAC in your Google Cloud organization. +2. Creating an "anchor" group named + `[email protected]`. +3. Updating your Helm values to point to your specific subgroup: + +``` yaml +rbac: + serviceProxier: + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: "[email protected]" +``` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/go.mod new/kubeseal-0.36.1/go.mod --- old/kubeseal-0.36.0/go.mod 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/go.mod 2026-03-12 13:30:54.000000000 +0100 @@ -1,6 +1,6 @@ module github.com/bitnami-labs/sealed-secrets -go 1.25.7 +go 1.26.1 require ( github.com/Masterminds/sprig/v3 v3.3.0 @@ -16,12 +16,12 @@ github.com/throttled/throttled v2.2.5+incompatible golang.org/x/crypto v0.48.0 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v0.35.1 - k8s.io/apimachinery v0.35.1 - k8s.io/client-go v0.35.1 - k8s.io/code-generator v0.35.1 + k8s.io/api v0.35.2 + k8s.io/apimachinery v0.35.2 + k8s.io/client-go v0.35.2 + k8s.io/code-generator v0.35.2 k8s.io/klog v1.0.0 - k8s.io/klog/v2 v2.130.1 + k8s.io/klog/v2 v2.140.0 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/go.sum new/kubeseal-0.36.1/go.sum --- old/kubeseal-0.36.0/go.sum 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/go.sum 2026-03-12 13:30:54.000000000 +0100 @@ -176,20 +176,20 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q= -k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM= -k8s.io/apimachinery v0.35.1 h1:yxO6gV555P1YV0SANtnTjXYfiivaTPvCTKX6w6qdDsU= -k8s.io/apimachinery v0.35.1/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= -k8s.io/client-go v0.35.1 h1:+eSfZHwuo/I19PaSxqumjqZ9l5XiTEKbIaJ+j1wLcLM= -k8s.io/client-go v0.35.1/go.mod h1:1p1KxDt3a0ruRfc/pG4qT/3oHmUj1AhSHEcxNSGg+OA= -k8s.io/code-generator v0.35.1 h1:yLKR2la7Z9cWT5qmk67ayx8xXLM4RRKQMnC8YPvTWRI= -k8s.io/code-generator v0.35.1/go.mod h1:F2Fhm7aA69tC/VkMXLDokdovltXEF026Tb9yfQXQWKg= +k8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw= +k8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60= +k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8= +k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns= +k8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o= +k8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g= +k8s.io/code-generator v0.35.2 h1:3874swbO2c26VWTf6lKD4NWGyHIfyBeTCk7caCG3TuU= +k8s.io/code-generator v0.35.2/go.mod h1:id4XLCm0yAQq5nlvyfAKibMOKnMjzlesAwGw6kM3Adc= k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ= k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= +k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/helm/sealed-secrets/Chart.yaml new/kubeseal-0.36.1/helm/sealed-secrets/Chart.yaml --- old/kubeseal-0.36.0/helm/sealed-secrets/Chart.yaml 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/helm/sealed-secrets/Chart.yaml 2026-03-12 13:30:54.000000000 +0100 @@ -1,7 +1,7 @@ annotations: category: DeveloperTools apiVersion: v2 -appVersion: 0.35.0 +appVersion: 0.36.0 description: Helm chart for the sealed-secrets controller. home: https://github.com/bitnami-labs/sealed-secrets icon: https://bitnami.com/assets/stacks/sealed-secrets/img/sealed-secrets-stack-220x234.png @@ -14,6 +14,6 @@ url: https://github.com/bitnami-labs/sealed-secrets name: sealed-secrets type: application -version: 2.18.1 +version: 2.18.3 sources: - https://github.com/bitnami-labs/sealed-secrets diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/helm/sealed-secrets/README.md new/kubeseal-0.36.1/helm/sealed-secrets/README.md --- old/kubeseal-0.36.0/helm/sealed-secrets/README.md 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/helm/sealed-secrets/README.md 2026-03-12 13:30:54.000000000 +0100 @@ -86,7 +86,7 @@ | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | | `image.registry` | Sealed Secrets image registry | `docker.io` | | `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` | -| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.35.0` | +| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `0.36.0` | | `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` | | `image.pullSecrets` | Sealed Secrets image pull secrets | `[]` | | `revisionHistoryLimit` | Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) | `""` | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/helm/sealed-secrets/templates/deployment.yaml new/kubeseal-0.36.1/helm/sealed-secrets/templates/deployment.yaml --- old/kubeseal-0.36.0/helm/sealed-secrets/templates/deployment.yaml 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/helm/sealed-secrets/templates/deployment.yaml 2026-03-12 13:30:54.000000000 +0100 @@ -181,6 +181,7 @@ ports: - name: http containerPort: {{ .Values.containerPorts.http | default "8080" }} + protocol: TCP {{- if .Values.hostNetwork }} hostPort: {{ .Values.containerPorts.http }} {{- else if .Values.hostPorts.http }} @@ -188,6 +189,7 @@ {{- end }} - name: metrics containerPort: {{ .Values.containerPorts.metrics | default "8081" }} + protocol: TCP {{- if .Values.hostNetwork }} hostPort: {{ .Values.containerPorts.metrics }} {{- else if .Values.hostPorts.metrics }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/helm/sealed-secrets/templates/service.yaml new/kubeseal-0.36.1/helm/sealed-secrets/templates/service.yaml --- old/kubeseal-0.36.0/helm/sealed-secrets/templates/service.yaml 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/helm/sealed-secrets/templates/service.yaml 2026-03-12 13:30:54.000000000 +0100 @@ -29,6 +29,7 @@ - name: http port: {{ .Values.service.port }} targetPort: http + protocol: TCP {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }} nodePort: {{ .Values.service.nodePort }} {{- else if eq .Values.service.type "ClusterIP" }} @@ -67,6 +68,7 @@ - name: metrics port: {{ .Values.metrics.service.port }} targetPort: metrics + protocol: TCP {{- if and (or (eq .Values.metrics.service.type "NodePort") (eq .Values.metrics.service.type "LoadBalancer")) (not (empty .Values.metrics.service.nodePort)) }} nodePort: {{ .Values.metrics.service.nodePort }} {{- else if eq .Values.metrics.service.type "ClusterIP" }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/helm/sealed-secrets/values.yaml new/kubeseal-0.36.1/helm/sealed-secrets/values.yaml --- old/kubeseal-0.36.0/helm/sealed-secrets/values.yaml 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/helm/sealed-secrets/values.yaml 2026-03-12 13:30:54.000000000 +0100 @@ -39,7 +39,7 @@ image: registry: docker.io repository: bitnami/sealed-secrets-controller - tag: 0.35.0 + tag: 0.36.0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/kubeseal-0.36.0/versions.env new/kubeseal-0.36.1/versions.env --- old/kubeseal-0.36.0/versions.env 2026-02-25 17:49:13.000000000 +0100 +++ new/kubeseal-0.36.1/versions.env 2026-03-12 13:30:54.000000000 +0100 @@ -1,2 +1,2 @@ -GO_VERSION=1.25.7 +GO_VERSION=1.26.1 GO_VERSION_LIST="[\"$GO_VERSION\"]" ++++++ kubeseal.obsinfo ++++++ --- /var/tmp/diff_new_pack.XfEaai/_old 2026-03-13 21:16:45.309172396 +0100 +++ /var/tmp/diff_new_pack.XfEaai/_new 2026-03-13 21:16:45.317172729 +0100 @@ -1,5 +1,5 @@ name: kubeseal -version: 0.36.0 -mtime: 1772038153 -commit: 97e5023c97fa29a5a91706c6d140851fa282bae7 +version: 0.36.1 +mtime: 1773318654 +commit: 94bd9538c8770a5a051d5c0d5f9936f968933dad ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/kubeseal/vendor.tar.gz /work/SRC/openSUSE:Factory/.kubeseal.new.8177/vendor.tar.gz differ: char 92, line 1
