Skip to content

Latest commit

 

History

History
322 lines (259 loc) · 14.6 KB

CHANGELOG.md

File metadata and controls

322 lines (259 loc) · 14.6 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

4.4.1 - 2023-03-06

Fixed

  • Exclamation mark in --set argument result into to backend not found error
  • HELM_SECRETS_LOAD_GPG_KEYS uses home dir instead tmp dir which results into errors on argocd-repo-server

4.4.0 - 2023-02-18

Added

  • Migrations for ArgoCD multi source application limitations

Fixed

  • Error curl: option --netrc-file=/custom-tools/.netrc: is unknown, if NETRC environment variable is defined

4.3.0 - 2023-02-18

Added

  • Support for evaluating secret references (--evaluate-templates; vals backend) in helm templates (requires helm 3.9.0; vals 0.20+)
  • Override secret backend per value file
  • Restrict secret backend, using HELM_SECRETS_ALLOWED_BACKENDS environment variable

Fixed

  • Performance issues with large value files (vals backend)
  • Remote value file download fails when URL contains query strings

4.2.2 - 2022-11-20

Fixed

  • Performance issues with large value files

4.2.1 - 2022-11-14

Fixed

  • fixes detection of SOPS YAML files with Windows line-endings (CR LF)

4.2.0 - 2022-11-08

Added

  • --ignore-missing-values (HELM_SECRETS_IGNORE_MISSING_VALUES). This option allows ignoring errors related to file not found.
  • if paths or value files beginning with a ? in beginning, all file not found errors related to that specific value file are ignored.
  • Support for shell installed via scoop

Fixed

  • Multiple values in a single --set option not correctly passed to helm
  • cat: can't open '/dev/stdin': No such file or directory on Windows

4.1.1 - 2022-09-21

Fixed

  • Fix handing of special character \ from literal vals values
  • Remove escape character \ from literal vals values, if value contains quotes.

4.1.0 - 2022-09-20

Added

  • Support for literal vals values like --set, --set-string and --set-json, e.g.
    • --set auth.rootPassword=ref+vault://secret/mysql#/rootPassword
  • Support for literal vals values through downloader syntax secrets+literal://, e.g.
    • --set-file secrets+literal://ref+vault://secret/mysql#/rootPassword

4.0.0 - 2022-09-11

Added

  • Support for decrypting files defined via --set-file

Changed

  • Breaking: Rename helm secrets dec to helm secrets decrypt
  • Breaking: Rename helm secrets enc to helm secrets encrypt
  • Breaking: The decrypt and encrypt command write the results to stdout now. Both commands support -i flag to en/decrypt file in-line.
  • Breaking: Secret drivers are renamed to secret backends
    • This is breaking custom integrations. All shell functions contains the name driver are renamed to backend, e.g.: driver_encrypt_file -> backend_encrypt_file
    • The CLI Arguments --driver, -d and --driver-args has been renamed to --backend, -b and --backend-args
    • The environment variables HELM_SECRETS_DRIVER and HELM_SECRETS_DRIVER_ARGS has been renamed to HELM_SECRETS_BACKEND and HELM_SECRETS_BACKEND_ARGS

Removed

  • HELM_SECRETS_DRIVER environment variable. HELM_SECRETS_BACKENDis a drop-in replacement.
  • helm secret clean command.
  • helm secret terraform command. The helm secret decrypt --terraform command is a drop-in replacement.
  • helm secret view command. The helm secret decrypt command is a drop-in replacement.
  • vault driver. The vals driver supports vault as backend, too.
  • envsubst driver. The vals driver supports envsubst as backend, too.
  • droppler driver.
  • sops:// protocol handler
  • secret:// protocol handler
  • Parameter --output-decrypt-file-path (HELM_SECRETS_OUTPUT_DECRYPTED_FILE_PATH) that outputs the path of decrypted files only.

3.15.0 - 2022-08-08

Changed

  • Prefer bash from Git for Windows over WSL shell to avoid WSL interop incompatibilities
  • Deprecate vault driver. The vals driver supports vault as backend, too.
  • Deprecate envsubst driver. The vals driver supports envsubst as backend, too.
  • Deprecate droppler driver.

Fixed

  • Error with --set arguments, if WSL backend is used.

3.14.1 - 2022-07-27

Changed

  • Handing of /tmp file in Windows environments. Fixes performance issues in native WSL environments

Fixed

  • Win32 Console error, if gpg.exe does not exists
  • Debug output, if helm --debug is set.

3.14.0 - 2022-06-06

Added

  • Added error handling in case curl or wget is not installed.
  • Added vals support on Windows
  • Enable protocol handling on Windows. Requires the command helm secrets patch windows once.

Changed

  • Check detection of a sops encrypted files
  • Prefer gpg4win, if available. Use SOPS_GPG_EXEC=gpg as environment variable to restore the old behavior.

Fixed

  • Error, if HELM_SECRETS_WINDOWS_SHELL contains spaces

3.13.0 - 2022-04-12

Added

  • Support for WSL on Windows

Fixed

  • Strip newlines on helm secrets terraform command

3.12.0 - 2022-02-03

Added

  • Terraform Integration. Can be used together with external data source provider
  • Enable parsing of .netrc for http based values. The location of the .netrc can be overridden by NETRC environment variable.
  • Environment variable HELM_SECRETS_VALUES_ALLOW_SYMLINKS to allow or deny follow symlinks.
  • Environment variable HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH to allow or deny absolute value file paths.
  • Environment variable HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL to allow or deny dot-dot-slash values file paths.

3.11.0 - 2021-11-25

Added

  • Add environment variable expansion for value files like secrets://https://${GITHUB_TOKEN}@raw.githubusercontent.com/org/repo/ref/pathtofile.yml. This feature is disabled by default and can be enabled by set the env var HELM_SECRETS_URL_VARIABLE_EXPANSION=true

Changed

  • Add more strict behavior around the downloader syntax to avoid infinite loops

3.10.0 - 2021-11-05

Added

  • Add age support for downloader plugin syntax.

Changed

  • Improvements to the ArgoCD integration documentation.

3.9.1 - 2021-10-09

Fixed

  • Wrong format on CHANGELOG.md

3.9.0 - 2021-10-09

Added

  • A better ArgoCD Integration. helm-secrets can load now gpg keys for you by using the uri secrets+gpg-import://path/key.asc?path/secrets.yaml as value file. As alternative, you can use secrets+gpg-import-kubernetes:// to import a gpg key from an existing kubernetes secret, but it requires the kubectl command. Checkout the [docs/ARGOCD.md](docs/ArgoCD Integration.md) for more information.
  • vals driver. vals supporting Vault, AWS SSM, GCP, sops, terraform states or other files.

3.8.3 - 2021-08-06

Changed

  • Allow dot, asterisk and underscore for the vault path

3.8.2 - 2021-07-14

Fixed

  • Decrypt partially encrypted sops files correctly

3.8.1 - 2021-06-12

Fixed

  • OUTPUT_DECRYPTED_FILE_PATH: parameter not set

3.8.0 - 2021-06-12

Added

  • New parameter --output-decrypt-file-path (HELM_SECRETS_OUTPUT_DECRYPTED_FILE_PATH) that outputs the path of decrypted files only.
  • HELM_SECRETS_DEC_PREFIX variable in addition to HELM_SECRETS_DEC_SUFFIX
  • New parameter --version
  • cygwin compatibility

Changed

  • HELM_SECRETS_DEC_SUFFIX has been changed from .yaml.dec to .dec. Additionally, while append the suffix, the file extension .yaml is not stripped anymore.
  • The detection of encrypted sops files has been changed. Instead, looking for sops: and version:, the string unencrypted_suffix is used now.

3.7.0 - 2021-05-22

Added

  • envsubst driver

Changed

  • Output errors on stderr

3.6.1 - 2021-03-30

Fixed

  • mktemp: too few X's in template error on macOS if gnu coreutils preferred over builtin bsd tools.

3.6.0 - 2021-03-29

Added

  • Detect ArgoCD environment by ARGOCD_APP_NAME environment variable and set HELM_SECRETS_QUIET=true by default. (#83)

Removed

  • The default sops installation is removed, since helm-secrets could be used with hashicorp vault which does not require sops.

Fixed

  • Cleanup all temporary files.

3.5.0 - 2021-02-20

Added

  • Added --driver-args to pass additional argument to underlying commands (#82)

Fixed

  • "grep: Invalid range end" if locale is not C (#81)

3.4.2 - 2021-02-19

Changed

  • Dev: Rename master branch to main

Fixed

  • "grep: Invalid range end" if locale is not C (#79)

3.4.1 - 2021-01-23

Fixed

  • Handling -- inside command line arguments
  • Fix handling errors with remote files
  • Strip yaml doc separator if the vault driver is used (#70)
  • Incompatibilities if sed links to gnu sed on MacOS (#72)

3.4.0 - 2020-12-26

From this version, the installation on Helm 2 requires additional steps. Check https://github.com/jkroepke/helm-secrets/wiki/Installation#helm-2

Added

  • Implement alternate syntax (#52)
  • Remote values support (supporting http:// and helm downloader plugins) (#54)
  • Let downloader plugin support remote files and all secrets drivers (#55)
  • Externalize custom vault driver logic. (#63)
  • Dev: Implement code coverage
  • Dev: Test zsh compatibility

Fixed

  • Vault driver: If vault command failed, the script execution was not terminated. (#61)

3.3.5 - 2020-10-16

Added

  • Better lookup for unix shells on Windows (#42)

3.3.4 - 2020-09-09

Added

  • Allow overriding SOPS version on installation (#40)
  • Add separat download artefact on GitHub release

3.3.0 - 2020-08-28

Added

  • Don't check if file exists on edit (#31)
  • Better Windows support (#28)
  • Support parameters like --values=secrets.yaml (#34)
  • Added CentOS 7 as supported OS system (#35)

3.2.0 - 2020-05-08

Added

  • Add Vault support (#22)
  • Secret driver to gain secrets from other sources then sops. (#16)
  • Remove name restriction (#23)

Changed

  • Run unit tests on bash, dash and ash (busybox), too.

3.1.0 - 2020-04-27

Added

  • completion.yaml for helm shell auto-completion
  • Tests for all helm secrets commands
  • Added quiet flag for helm secrets (#8)

Changed

  • Escape special chars in paths correctly (#9)

3.0.0 - 2020-04-26

Started a fork of https://github.com/zendesk/helm-secrets

Added

  • POSIX compatibility (#1)
  • Optionally decrypt helm secrets in a temporary directory (#5)
  • Added CI tests (#2)

Changed

  • Changed secrets.yaml prefix just to secrets. All files like secrets* are now decrypted
  • Remove dependency against gnu-getops
  • Remove run as root dependency on helm plugin install
  • Verbose output is now on stderr
  • Support all helm sub commands and plugins