Skip to content

Releases: DopplerHQ/kubernetes-operator

v1.2.6

15 Jun 12:37
@nmanoogian nmanoogian
v1.2.6
6bc96a8
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.6
  • Adds support for kebab name transformer
  • Increases memory request for manager deployment
Assets 3
Loading

v1.2.5

13 Feb 17:53
@nmanoogian nmanoogian
v1.2.5
caeb2c2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.5
  • Adds support for downloading secrets as files for mounting inside containers

This release supersedes v1.2.1 through v1.2.4 which were all DOA.

Assets 3
Loading

v1.2.4

13 Feb 17:13
@nmanoogian nmanoogian
v1.2.4
4fa0664
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.4
  • Adds support for downloading secrets as files for mounting inside containers

This release supersedes v1.2.1 through v1.2.3 which were all DOA.

Assets 2
Loading

v1.2.3

13 Feb 16:33
@nmanoogian nmanoogian
v1.2.3
bd42a42
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.3
  • Adds support for downloading secrets as files for mounting inside containers

This release supersedes v1.2.1 and v1.2.2 which were both DOA.

Assets 2
Loading

v1.2.2

10 Feb 22:32
@nmanoogian nmanoogian
v1.2.2
1ccddaf
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.2
  • Adds support for downloading secrets as files for mounting inside containers

This release supersedes v1.2.1 which was DOA.

Assets 2
Loading

v1.2.1

10 Feb 15:26
@nmanoogian nmanoogian
v1.2.1
bc886cf
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.1
  • Adds support for downloading secrets as files for mounting inside containers
Assets 2
Loading

v1.2.0

20 Sep 19:21
@nmanoogian nmanoogian
v1.2.0
98ce8cc
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.0
  • Fixes a security issue which allowed Kubernetes users to instruct the operator to perform certain privileged actions (see below)
  • Allows Doppler project and config fields to be specified in the DopplerSecret CR
  • Allows secret nameTransformer to be specified in the DopplerSecret CR

Security Update

This release resolves a low severity vulnerability in the Doppler Kubernetes Operator which allowed users to:

  • Instruct the operator to fetch Doppler secrets using Kubernetes tokens secrets in namespaces that they normally could not access
  • Instruct the operator to write Doppler secrets to Kubernetes managed secrets in namespaces that they could not normally access

Note that users cannot instruct the operator to output the contents of a Kubernetes token secret; the operator can only be instructed to use a token secret to fetch secret data from Doppler.

Impact

Before v1.2.0, the operator processed any DopplerSecret resources in any namespace in the cluster. For example,

apiVersion: secrets.doppler.com/v1alpha1
kind: DopplerSecret
metadata:
  name: dopplersecret-test
  namespace: default
spec:
  tokenSecret:
    name: doppler-token-secret
    namespace: ns1
  managedSecret:
    name: doppler-test-secret
    namespace: ns2

In this example, the user who created this resource can only create DopplerSecret resources in the default namespace. They cannot directly access Kubernetes secrets in the ns1 or ns2 namespaces.

With the YAML above, the user creates a DopplerSecret resource in the default namespace which instructs the operator to fetch a Doppler service token from the doppler-token-secret Kubernetes secret in the ns1 namespace and write the Doppler secrets into the doppler-test-secret Kubernetes secret in the ns2 namespace.

Although the user does not have permissions to access resources in ns1 or ns2, they are able to use the operator to fetch secrets from the Doppler API using a token secret in ns1 and write a managed secret in ns2. If doppler-test-secret in ns2 already exists, the operator would overwrite it.

Resolution

To resolve this vulnerability, the v1.2.0 operator only processes DopplerSecret resources which have been created in the same namespace as the operator deployment (doppler-operator-system, by default).

The operator’s namespace is treated as privileged; any users with access to create DopplerSecret resources in this namespace will be able to instruct the operator to perform operations on any Kubernetes secrets in any namespaces, using the same mechanisms described above. This consideration should be taken into account when configuring RBAC in your cluster.

Upgrade Steps

Note: When upgrading to v1.2.0, any DopplerSecret resources in namespaces other than the operator’s namespace will stop being processed. The managed Kubernetes secret will be left unchanged but future changes to your Doppler config will not be synced.

You can check if you have any DopplerSecret resources outside the operator namespace using this command:

kubectl get dopplersecrets -A | grep -v doppler-operator-system

If any resources appear in this list, you can manually delete them and re-create them in the doppler-operator-system namespace before you upgrade. If no resources appear in the list, all DopplerSecret resources are in the doppler-operator-system namespace and will continue to be processed by the v1.2.0 operator.

If you installed the Doppler Kubernetes Operator with Helm, you can use Helm to perform the upgrade:

# Update doppler Helm repo
helm repo update
# Update the dopplersecrets CRD, which is not automatically upgraded by Helm
helm pull doppler/doppler-kubernetes-operator --untar
kubectl apply -f doppler-kubernetes-operator/crds/all.yaml
# Update the chart
helm upgrade <release_name> doppler/doppler-kubernetes-operator

If you installed the operator manually, you can re-apply the installation YAML to upgrade:

kubectl apply -f https://github.com/DopplerHQ/kubernetes-operator/releases/latest/download/recommended.yaml

If you have any questions, feel to reach out to [email protected].

Assets 3
Loading

v1.1.1

27 Apr 20:19
@nmanoogian nmanoogian
v1.1.1
899bd16
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.1
  • Add Docker build support for ARM
  • Fix broken docs link
Assets 3
Loading

v1.1.0

15 Sep 12:57
@nmanoogian nmanoogian
v1.1.0
992425c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.1.0
  • Adds secret processors to the DopplerSecret resource to allow modification of Doppler data before it's loaded into Kubernetes
Assets 3
Loading

v1.0.0

09 Sep 14:13
@nmanoogian nmanoogian
v1.0.0
04b1820
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.0.0 
Merge pull request #10 from DopplerHQ/nic/remove-prerelease

Remove Prerelease Label
Assets 3
Loading