UNCLASSIFIED - NO CUI

Skip to content

Update all dependencies

Ghost User requested to merge renovate/all into development

This MR contains the following updates:

Package Type Update Change
derailed/k9s ironbank-github minor v0.29.1 -> v0.30.0
kubernetes-sigs/kustomize ironbank-github major kustomize%2Fv5.0.0 -> v3.3.1
mozilla/sops ironbank-github minor v3.7.3 -> v3.8.1

Release Notes

derailed/k9s (derailed/k9s)

v0.30.0

Compare Source

Release v0.30.0

Notes

Thank you to all that contributed with flushing out issues and enhancements for K9s! I'll try to mark some of these issues as fixed. But if you don't mind grab the latest rev and see if we're happier with some of the fixes! If you've filed an issue please help me verify and close.

Your support, kindness and awesome suggestions to make K9s better are, as ever, very much noted and appreciated! Also big thanks to all that have allocated their own time to help others on both slack and on this repo!!

As you may know, K9s is not pimped out by corps with deep pockets, thus if you feel K9s is helping your Kubernetes journey, please consider joining our sponsorship program and/or make some noise on social! @​kitesurfer

On Slack? Please join us K9slackers

♫ Sounds Behind The Release ♭

Going back to the classics...

A Word From Our Sponsors...

To all the good folks below that opted to pay it forward and join our sponsorship program, I salute you!!

Sponsorship cancellations since the last release: 5! 🥹

🎄 Feature Release! 🎄

🎅 Merry Christmas to all and Best wishes for the new year!!🧑‍🎄

Videos Are In The Can!

Please dial K9s Channel for up coming content...

Breaking Bad!

️ !!Prior to installing v0.30.0!! Please be sure to backup your k9s configs directories or move them somewhere safe!!

️ Please watch the v0.30.0 Sneak peek series (links below) for detailed information.

️ Most K9s configuration files have either split or changed location or names on this drop!!

We recommend moving your current k9s config dirs to another location and start k9s from scratch and let it create and initialize the various configs to their new spec and location. You can then use your existing setup and patch with the new layout/spec. As of v0.30.0 all config files now use the *.yaml extension. We did our best to update all the docs to match the new version. If you find doc issues either file an issue or better yet submit a MR!

Some of you might say: You're on the roll their bud! Two breaking changes drops in a row!! Per the wise words of my beloved Grand mama! One can't cook a decent meal without creating a mess! Not to mention we're still at v0.x.y so Open season on breaking changes is very much in full effect.

Tho I have tested this drop quite a bit, there is a strong chance that I've broken some stuff. The key here is to walk the fine line of improving k9s code base and features set with minimal impact to you. As you know by now, I am committed to ease the pain and resolve issues quickly to get you all back up and running.

From the scope changes in this release, I would caution that this drop will likely break you! If so, worry not! We will fix the duds so we are Happy as a Hippo once again.

There was a few issues with the way K9s persists it's configuration and various artifacts. So we rewrote it! First and foremost all k9s related YAML resources, will now use the standard ".yaml" extension. I think we've bloated the code checking for both extensions with no real actionable value!

As it stands the main K9s configuration config.yml will now be static. These settings are now readonly! All the dynamic configurations that K9s manages now live in a new directory aka clusters. The clusters directory manages your k8s cluster/context configurations. So things like active view, namespace, favorites, etc... now live in this directory. K9s configurations are still managed using either xdg XDG_CONFIG_HOME or you can set K9S_CONFIG_DIR to specify a your preferred k9s configs location. Also all config files will now use the ".yaml" extension vs ".yml"!!

So the main k9s configuration (static) now looks like this:


### $XDG_CONFIG_HOME/k9s/config.yaml
### File will be autogenerated will all the default fixins if not found in the config specification.
k9s:
  liveViewAutoRefresh: false
  refreshRate: 2
  maxConnRetry: 5
  readOnly: false
  noExitOnCtrlC: false
  ui: # NOTE! New level!!
    enableMouse: false
    headless: false
    logoless: false
    crumbsless: false
    noIcons: false
  skipLatestRevCheck: false
  disablePodCounting: false

### ShellPod configuration applies to all your clusters
  shellPod:
    image: busybox:1.35.0
    namespace: default
    limits:
      cpu: 100m
      memory: 100Mi

### ImageScan config changed from v0.29.0!
  imageScans:
    enable: false

### Now figures exclusions ie blacklist namespaces or specific workload labels
    blackList:

### Exclude the following namespaces for image vulscans!
      namespaces:
        - kube-system
        - fred

### Exclude the following labels from image vulscans!
      labels:
        k8s-app:
          - kindnet
          - bozo
        env:
          - dev
  logger:
    tail: 100
    buffer: 5000
    sinceSeconds: -1
    fullScreenLogs: false
    textWrap: false
    showTime: false
  thresholds:
    cpu:
      critical: 90
      warn: 70
    memory:
      critical: 90
      warn: 70

Next context specific configurations that are managed by you and k9s live in the XDG data directory i.e $XDG_DATA_HOME/k9s/clusters or $K9S_CONFIG_DIR/clusters if the env var is set.

$XDG_DATA_HOME/k9s
// Clusters tracks visited kubeconfig cluster/contexts
├── clusters
│   ├── fred
│   │   └── bozo
│   │       └── config.yaml
│   ├── bozorg
│   │   ├── kind-bozo-1
│   │   │   └── config.yaml
│   │   ├── kind-bozo-2
│   │   │   └── config.yaml
│   │   └── kind-bozo-3
│   │       └── config.yaml
│   └── bumblebeetuna
│       └── blee
│           └── config.yaml
└── skins
    ├── black_and_wtf.yaml
    ├── dracula.yaml
    ├── in_the_navy.yml
    ├── ...

Now looking at a given context configuration i.e cluster-1/context-1/config.yaml


### $XDG_DATA_HOME/k9s/clusters/bumblebeetuna/blee/config.yaml
k9s:
  cluster: bumblebeetuna
  readOnly: false # [New!] you can now single out a given context and make it readonly. Woof!
  skin: in_the_navy # [NEW!] you can also skin individual contexts. Woof Woof!
  namespace:
    active: all
    lockFavorites: false
    favorites:
    - all
    - kube-system
    - default
  view:
    active: dp
  featureGates:
    nodeShell: false
  portForwardAddress: localhost

Transient artifacts ie k9s logs, screen-dumps, benchmarks etc now live in the state config dir.

$XDG_STATE_HOME/k9s
├── k9s.log # K9s log files
└── screen-dumps
    └── bumblebeetuna # Screen dumps location for context blee
        └── blee
            └── deployments-kube-system-1703018199222861000.csv

If you get stuck or if my instructions are just clear as mud... k9s info is always your friend!!

I feel this is an improvement (tho I might be unanimous on this!) especially for folks dealing with multi-clusters or swapping out there kubeconfigs...

NOTE! Paint is still fresh on this deal. Proceed with caution and please help us flush this feature out!

Got Prompt?

In this drop, we've also gave the k9s command prompt aka :xxx some love. You have the ability to specify filter directly in the prompt.

So for example, you can now run something like :po /fred to run pod view with a filter to just show pods containing fred. Likewise :po k8s-app=fred,env=blee to filter by labels. And now for theKrampus special... you can see pods in a different context all together via :pod @​ctx-2. Finally you can combo and send the whole enchilada via :po k8s-app=fred /blee ns-1 @​ctx-x Did I mention with completion where applicable? Yes Please!! Compliments of Jayson Wang. Be sure to thank him!!

Put these frequent flyers command in an alias and now you can nav your clusters with even more style!

All Is Love?

🎵 On The twentieth day of Christmas my true love gave to me... Ten worklords a-leaping??... 🎵

This is a feature reported by many of you and its (finally!) here. As of this drop, we intro the workload view aka wk which is similar to kubetcl get all. I was reluctant to intro it given the potential hazards on larger clusters but figured why not? YOLO. I think using it in combo with the prompt updates it could pack a serious punch to observe workload related artifacts.

The Black List...

As it seems customary with all k9s new features, folks want to turn them off ;( The Vulscan feature did not get out unscaped ;( As it was rightfully so pointed out, you may want to opted out scans for images that you do not control. Tho I think it might be a good idea to run wide open once in a while to see if your cluster has any holes?? For this reason, we've opted to intro a blacklist section under the image scan configuration to exclude certain images from the scans.

Here is a sample configuration:

k9s:
  liveViewAutoRefresh: false
  refreshRate: 2
  ui:
    enableMouse: false
    headless: false
    logoless: false
    crumbsless: false
    noIcons: false
  imageScans:
    enable: true
    blackList:

### Skip scans on these namespaces
      namespaces:
        - ns-1
        - ns-2

### Skip scans for pods matching these labels
      labels:
        - app:
          - fred
          - blee
          - duh
        - env:
          - dev

This is a bit of a blur now, but I think that it! We hope you guys will dig this drop or at least the concepts as likely this is going to be Open Season on bugs ;(

🎵 On The second day of Christmas my true love gave to me... Eleven buggers bugging??... 🎵

Lastly looks like the sponsorship stream is down to an alarming trickle so if you dig this project and find it useful be sure to give til it hurts!

🎅 Best wishes to you and yours for good health and happiness this holiday season!! 🎉

AndJoy! Fernand

Resolved Issues

  • #​2346 k9s should not write state to config.yaml
  • #​2335 Restore 0.28 column order on pod view bug
  • #​2331 Set a shortcut key to run Vuln Scanning on a resource. Don't scan every resource at every startup.
  • #​2283 Adding auto complete in search bar

Contributed MRs

Please be sure to give Big Thanks! and ATTA Girls/Boys! to all the fine contributors for making K9s better for all of us!!

  • #​2357 Added ln check for snap
  • #​2350 Add symlink into snap
  • #​2348 Fix(misc plugins): split up multiline commands, use less -K everywhere
  • #​2343 Passing on the correct suggestion parameters
  • #​2341 Adding value, yaml and describe views to helm-history
  • #​2340 Add pkgx to installation section

© 2023 Imhotep Software LLC. All materials licensed under Apache v2.0

kubernetes-sigs/kustomize (kubernetes-sigs/kustomize)

v3.3.1

Compare Source

Test of new API goreleaser-driven release process. LGTM.

Ignore the assets, as there's just a binary that prints the API version number. The important thing with this release is that one may

require sigs.k8s.io/kustomize/v3 v3.3.1

from your go.mod file.

Changelog

78d14d0 Introduce dummy program to help with API releases. 40ed9e6 fix zh-doc 3cf6b8e v3.3.0 release notes 281f932 zh example:chart,secret generator plugin

v3.3.0

Compare Source

First release of the kustomize API-only module, with the CLI removed.

See https://github.com/kubernetes-sigs/kustomize/blob/master/docs/v3.3.0.md

v3.2.0

Compare Source

Changelog

f59d799 Add an example of reusable builtin plugins with custom config. 3f1b2bb Add configs aabbbf0 Add cover target to Makefile 5dfa929 Add create subcommand ed91bce Add example plugin for go-getter 7783a76 Add internal tooling library for index queries. 66fa2de Add main backend service and configurations 64341a8 Add short version flag e898c52 Add test for name conflict with base reuse aa2bf7e Adds frontend + configs to interal/tools/ui 02f6b3e Allow replicas to find modified names. 6a4150d Amend go-getter plugin document according to comments 963913f Automatically anchor resource selector patterns 1237ae4 Consider currentId when replacing/merging resources c2d6f09 Crawler performance improvements, better structure 24c173a Detect ID conflicts in namespace transformer dd5b3c1 Do not prefix/suffix APIService resources 2de052e Download submodules when using base from git 2050afd Ease doing custom configuration of builtin plugins. 74ed0b3 Example of configuring builtin plugin. 351df67 First draft of documentation for internal/tools 44b62a8 Fix indirect git resource cycle detection fa834f9 Fix non-travis tests. 8e9c08e Fix patch path example bafd6b5 Fix typo in patches definition 594a06d Fixes to create sub-command adbb622 Handle git:: prefix in urls containing _git 96c5b4a Handle ordering patches with SMP delete directives ca41674 Implementation of basic crawler organisation. 62edcae Implementation of configurable github crawler. ac6918d Implementation of github query helper library. e0d388c Implements search query partitioning by filesize. c02b4f3 Initial (temporary) implementation of search doc. 2e6dd48 IsInKustomizeCtx should use end of nameprefix array (1/3) 6e13acf IsInKustomizeCtx should use end of nameprefix array (2/3) 93cedba IsInKustomizeCtx should use end of nameprefix array (3/3) 31262cc IsInKustomizeCtx should use end of nameprefix array (code review) fe8ba8e Log loader errors during resource accumulation 54f1952 Log output from git on errors df779fd Modify document for elasticsearch migration. e904f61 Move commands/edit utils package up to commands eeafd43 Remove import of k8sdeps from create command a68f95b Rename commands utility function file eaae7af Retain replicas field in edit marshal path ed3c29b Simplify name reference candidate resmap building ed920af Support setting command in go-getter plugin a081534 Test custom configuration of a builtin plugin. 423a8a6 Test examples against HEAD as well as against latest release. 33bd221 Update README.md fe45157 Update crawler to cache web request form github. b4d6e89 Update zh-README.md 86f2216 Update zh-example-README.md 6c44da5 add PriorityClass to the order list 4690558 add document for inline patch (#​1411) 9516880 add inline patch document 35481ec add inline patch support for Strategic Merge Patch and JSON patch e6fffc8 add makefile b4038a6 add testting for patch transformers e011f3b change "bases:" to "resources:" 716a730 feat: Add instructions for setting key in configmap e455acc fix aedb362 fix doc 73660af fix environment variable typo. 34287e5 fix example-zh-README.md d3d4908 fix latest version c2cc93a fix: tempfile(?) af29855 fix: windows builds bc303c4 in plugin executor remove unnecessary code and improve error messages a279c08 make repospec memebers public 4cb8838 plugin/go-getter: support urls including : 2e7ad48 properly omitempty for 'inventory' in 'kustomize' d3022cc rename to tools directory 78c9729 translate-zh: glossary.md 6cf8b9e update examples-zh a4e1ba0 update zh doc 6fcb784 use kubectl apply -k # (#​1495)

v3.1.0

Compare Source

Release notes

v3.0.3

Compare Source

Changelog

bfafbbf Add FAQ about how to customize configuration fb44880 Add back GCP KMS example 08d7c35 Add storage class name ref 580963e Address replacement of digest by ImageTransformer 579995d Address simultaneous transformation of name and namespace 7998ee7 Addresses slice case with notNamespaceable objects f1dbab9 Convert go plugin example to GPG based 0edab60 Fix typo: kubectl v1.15 -> kubectl v1.14 (#​1333) 9b40f8a Implement code review comments to NameReferenceTransformer changes. c4d899f Improve NameReference Test cases 0d8d9e2 Move plugin EnvForTest manager into new package e5ebca6 Test tracking issue "patchesStrategicMerge elements can be dropped" b43bd54 Update Issue 1264 Reproduction Test c3ea109 Update goPluginGuidedExample.md 095333f Update references to NewEnvForTest 3c05e2d add extended patch transformer ed0cfc6 add test for extended patch with overlapping patches 120ba6b docs/versioningPolicy.md: fix expired urls a85f297 enable extended patch transformer and add tests 6f74419 fix local test failures f5fc9ac fix local test failures 8121467 fix the ci failure 28d1bad fix the ci failure dc6dcd8 update the latest version in readme

v3.0.2

Compare Source

Changelog

876f2a8 Fix missing nameReference in default config 145d073 add labels in test patch files eeed195 include nameprefix and namesuffix to find matched reference for cluster level kinds 33fff65 move strategic merge patch transformer to a builtin transformer 31ab347 refactor the strategic merge patch transformer toward moving it to a plugin (#​1340)

v3.0.1

Compare Source

Changelog

c912bae Enable ns transformer for webhook f996ac8 Fix typo in the go plugin guide 483188b Generate updated ns transformer efcb7cc Update README.md 8b60b45 Update README.md c64a72f Update goPluginGuidedExample.md 3bf13f8 Update goPluginGuidedExample.md 6b597f8 Update v3 notes 49b3247 fix the regression on merging configmap with different namespace

v3.0.0

Compare Source

Release notes

v2.1.0

Compare Source

Release notes

v2.0.3

Compare Source

Changelog

45ba785 Add configmaps test for json string 8bbe147 Add webhooks to order list of gvk ea3d5e6 Fix for #​818 - Added support for quoted values eb75203 Fix for #​831 - Ignore domain when finding the image tag 6bfd7cf Improve error handling during var resolution. ed2ad86 Move trim quotes logic to separate function ff6cd3c Report unused variables. 1303ea3 Run kustomize tests on OSX e666630 Simplify map conversion logic 9d77cbe Update golang/x/net dependency to release-branch.go1.11 28cefb3 improve error message for loading files listed under crds 78cbff1 improve error message in json patch transformer b0c3cd7 update the doc for crds: the files in this list should be openAPI definition f4eef1d update transformerconfigs/crd example

v2.0.2

Compare Source

Changelog

901455e Add Pod initContainer to var reference bf1c801 Add doc indicating existing of 'behavior' in configMapGenerator f5f8e49 Add explanatory comments and format 1f063d6 Add more git url regression coverage d4d993a Add more resid test coverage. 7d3735b Adding goos and goarch from runtime 1382d87 Change ExpandFileSource to work with key=val patterns 5e6c06f Change imagetag to image in docs/eschewedFeatures.md 0f30c09 Delete extraneous copyright. 773c1f2 Make requested wording changes from MR for behavior document 0488f57 More generator tests. 77eebb8 Review changes 48717f3 Switch to black box testing of KustTarget and Resource 1a03dca Test missing file report d72b162 add a test for a list with no 'items:' provided 8c93f7b add support for varref in maps values 3118ccf add tests for *List kinds and empty lists d968c0b add varref mountpath test case 9837b5b add volumeMounts/mountPath to varreference 1eab47b fix abs path with symlinks 1a43759 fix invalid relative path in kustomization.yaml fdba7df if the kind matches '*List$', treat it as a list 0e459eb prevent panic on image transformer cebcd8a transformers/image: loop refactoring b15b204 typo: changes verb number to agree with subject 1d005d4 typo: makes verb number agree with subject

v2.0.1

Compare Source

release notes:

  • add nil pointer check when loading from remote URL #​779
  • improve error message when customization file is not found #​771

Changelog

ccc4461 Fix nil ptr bug d720e9e Fix some typos in versioning policy 242b920 Improve error msg returned when no kustomization file is found 7c8db24 Rename kv.KVPair to kv.Pair 9e69b9d Typos in versioning fc5c726 add documentation for kustomize 2.0.0 e41ca93 move package and add tests e14ebc0 refactor kv pairs

mozilla/sops (mozilla/sops)

v3.8.1

Compare Source

Note from the Maintainers

In this release of SOPS, we have focused on landing a variety of bug fixes to improve the overall user experience.

For a comprehensive list of changes, please refer to CHANGELOG.rst.

Important Information for SOPS SDK Users

With the project transitioning from the Mozilla Foundation to the CNCF, the Go module path has been updated to reflect this change in ownership. If you use go.mozilla.org/sops/v3 as a library, going forward, import the Go Module using github.com/getsops/sops/v3. Apart from this small adjustment, the SDK's API remains fully backward compatible.

For a one-liner to quickly implement this change throughout your codebase, please refer to: https://github.com/getsops/sops/issues/1246#issuecomment-1625526429

Installation

To install sops, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:


### Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.linux.amd64

### Move the binary in to your PATH
mv sops-v3.8.1.linux.amd64 /usr/local/bin/sops

### Make the binary executable
chmod +x /usr/local/bin/sops
Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:


### Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.checksums.sig

### Verify the checksums file
cosign verify-blob sops-v3.8.1.checksums.txt \
  --certificate sops-v3.8.1.checksums.pem \
  --signature sops-v3.8.1.checksums.sig \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:


### Verify the binary using the checksums file
sha256sum -c sops-v3.8.1.checksums.txt --ignore-missing
Verify artifact provenance

The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.8.1.intoto.jsonl. To verify the provenance of an artifact, you can utilize the slsa-verifier tool:


### Download the metadata file
curl -LO  https://github.com/getsops/sops/releases/download/v3.8.1/sops-v3.8.1.intoto.jsonl

### Verify the provenance of the artifact
slsa-verifier verify-artifact <artifact> \
  --provenance-path sops-v3.8.1.intoto.jsonl \
  --source-uri github.com/getsops/sops \
  --source-tag v3.8.1

Container Images

The sops binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies.

These container images are available for the following architectures: linux/amd64 and linux/arm64.

GitHub Container Registry
  • ghcr.io/getsops/sops:v3.8.1
  • ghcr.io/getsops/sops:v3.8.1-alpine
Quay.io
  • quay.io/getsops/sops:v3.8.1
  • quay.io/getsops/sops:v3.8.1-alpine
Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of an image, run the following command:

cosign verify ghcr.io/getsops/sops:v3.8.1 \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  -o text
Verify container image provenance

The container images include SLSA provenance attestations. For more information around the verification of this, please refer to the slsa-verifier documentation.

Software Bill of Materials

The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an SPDX JSON file, formatted as <binary>.spdx.sbom.json.

What's Changed

New Contributors

Full Changelog: https://github.com/getsops/sops/compare/v3.8.0...v3.8.1

v3.8.0

Compare Source

Note from the Maintainers

We are extremely happy to introduce this new minor release of SOPS, now a CNCF Sandbox project under the stewardship of a new group of maintainers.

This release involved significant effort in rewriting and enhancing key source implementations, and includes a number of bug fixes which people had been patiently waiting on for a long period of time. In addition, the release process has been built up from scratch, and now now provides enhanced assurance by publishing SBOMs (Software Bill of Materials), SLSA3 provenance attestations and a Cosign signed checksums file as release artifacts.

For a comprehensive list of changes, please refer to CHANGELOG.rst.

Important Information for SOPS SDK Users

With the project transitioning from the Mozilla Foundation to the CNCF, the Go module path has been updated to reflect this change in ownership. If you use go.mozilla.org/sops/v3 as a library, going forward, import the Go Module using github.com/getsops/sops/v3. Apart from this small adjustment, the SDK's API remains fully backward compatible.

For a one-liner to quickly implement this change throughout your codebase, please refer to: https://github.com/getsops/sops/issues/1246#issuecomment-1625526429

Installation

To install sops, download one of the pre-built binaries provided for your platform from the artifacts attached to this release.

For instance, if you are using Linux on an AMD64 architecture:


### Download the binary
curl -LO https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.linux.amd64

### Move the binary in to your PATH
mv sops-v3.8.0.linux.amd64 /usr/local/bin/sops

### Make the binary executable
chmod +x /usr/local/bin/sops
Verify checksums file signature

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:


### Download the checksums file, certificate and signature
curl -LO https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.checksums.txt
curl -LO https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.checksums.pem
curl -LO https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.checksums.sig

### Verify the checksums file
cosign verify-blob sops-v3.8.0.checksums.txt \
  --certificate sops-v3.8.0.checksums.pem \
  --signature sops-v3.8.0.checksums.sig \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com
Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature:


### Verify the binary using the checksums file
sha256sum -c sops-v3.8.0.checksums.txt --ignore-missing
Verify artifact provenance

The SLSA provenance of the binaries, packages, and SBOMs can be found within the artifacts associated with this release. It is presented through an in-toto link metadata file named sops-v3.8.0.intoto.jsonl. To verify the provenance of an artifact, you can utilize the slsa-verifier tool:


### Download the metadata file
curl -LO  https://github.com/getsops/sops/releases/download/v3.8.0/sops-v3.8.0.intoto.jsonl

### Verify the provenance of the artifact
slsa-verifier verify-artifact <artifact> \
  --provenance-path sops-v3.8.0.intoto.jsonl \
  --source-uri github.com/getsops/sops \
  --source-tag v3.8.0

Container Images

The sops binaries are also available as container images, based on Debian (slim) and Alpine Linux. The Debian-based container images include any dependencies which may be required to make use of certain key services, such as GnuPG, AWS KMS, Azure Key Vault, and Google Cloud KMS. The Alpine-based container images are smaller in size, but do not include these dependencies.

These container images are available for the following architectures: linux/amd64 and linux/arm64.

GitHub Container Registry
  • ghcr.io/getsops/sops:v3.8.0
  • ghcr.io/getsops/sops:v3.8.0-alpine
Quay.io
  • quay.io/getsops/sops:v3.8.0
  • quay.io/getsops/sops:v3.8.0-alpine
Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of an image, run the following command:

cosign verify ghcr.io/getsops/sops:v3.8.0 \
  --certificate-identity-regexp=https://github.com/getsops \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  -o text
Verify container image provenance

The container images include SLSA provenance attestations. For more information around the verification of this, please refer to the slsa-verifier documentation.

Software Bill of Materials

The Software Bill of Materials (SBOM) for each binary is accessible within the artifacts enclosed with this release. It is presented as an SPDX JSON file, formatted as <binary>.spdx.sbom.json.

What's Changed

Full Changelog: https://github.com/getsops/sops/compare/v3.8.0-rc.1...v3.8.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI