🛡️ security(VSecM Helm Charts): add security labels to namespaces (#1035

)

* 🛡️ security(VSecM Helm Charts): add security labels to namespaces

Signed-off-by: Volkan Özçelik <[email protected]>

* version update

Signed-off-by: Volkan Özçelik <[email protected]>

* add helm charts work

Signed-off-by: Volkan Özçelik <[email protected]>

* remove redundant manifests

Signed-off-by: Volkan Özçelik <[email protected]>

---------

Signed-off-by: Volkan Özçelik <[email protected]>

Makefile

@@ -12,7 +12,7 @@
 ifdef VSECM_VERSION
 	VERSION := $(VSECM_VERSION)
 else
-	VERSION := 0.26.0
+	VERSION := 0.26.1
 endif
 
 # Set deploySpire to false, if you want to use existing spire deployment

dockerfiles/example/init-container.Dockerfile

@@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o example \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/example/multiple-secrets.Dockerfile

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/example/sdk-go.Dockerfile

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/example/sidecar.Dockerfile

@@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o env \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/util/inspector.Dockerfile

@@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/util/keygen.Dockerfile

@@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keygen \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist-fips/init-container.Dockerfile

@@ -27,7 +27,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a -
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist-fips/keystone.Dockerfile

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a -
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist-fips/safe.Dockerfile

@@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a -
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist-fips/sentinel.Dockerfile

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a -
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist-fips/sidecar.Dockerfile

@@ -26,7 +26,7 @@ RUN CGO_ENABLED=0 GOEXPERIMENT=boringcrypto GOOS=linux go build -mod vendor -a -
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist/init-container.Dockerfile

@@ -25,7 +25,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-init-container \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist/keystone.Dockerfile

@@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-keystone \
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist/safe.Dockerfile

@@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-safe ./app/safe/cm
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist/sentinel.Dockerfile

@@ -24,7 +24,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o sloth ./app/sentinel/bac
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

dockerfiles/vsecm-ist/sidecar.Dockerfile

@@ -23,7 +23,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o vsecm-sidecar ./app/side
 # generate clean, final image for end users
 FROM gcr.io/distroless/static-debian11
 
-ENV APP_VERSION="0.26.0"
+ENV APP_VERSION="0.26.1"
 
 LABEL "maintainers"="VSecM Maintainers <[email protected]>"
 LABEL "version"=$APP_VERSION

docs/config.toml

@@ -22,4 +22,4 @@ smart_punctuation = true
 
 [extra]
 author = "VMware Secrets Manager Contributors"
-version = "0.26.0"
+version = "0.26.1"

docs/content/timeline/changelog.md

@@ -17,7 +17,7 @@ weight = 11
 
 TBD
 
-## [0.26.0] - 2024-06-28
+## [0.26.1] - 2024-06-28
 
 ### Added
 

docs/content/timeline/roadmap.md

@@ -242,7 +242,7 @@ We will create new iterations from it as the time gets closer.
 
 ## Closed Iterations
 
-### VSecM v0.26.0 (*codename: Fornax*)
+### VSecM v0.26.1 (*codename: Fornax*)
 
 **Apr 25, 2024 - May 22, 2024**
 
@@ -252,7 +252,7 @@ We also introduced a lot of flexibility such as ability to use custom
 namespaces, trust domains, and regex-based SPIFFEID validation.
 
 [Here is a list of issues that are candidate for VSecM vFornax
-](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.26.0-candidate+).
+](https://github.com/vmware-tanzu/secrets-manager/issues?q=+label%3Av0.26.1-candidate+).
 
 ### VSecM v0.25.0 (*codename: Eridanus*)
 

examples/multiple_secrets/k8s-eks/Deployment.yaml

@@ -28,7 +28,7 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-multiple-secrets:0.26.0
+        image: vsecm/example-multiple-secrets:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket

examples/multiple_secrets/k8s-eks/image-override.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: main
-        image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.26.0
+        image: public.ecr.aws/h8y1n7y7/example-multiple-secrets:0.26.1
         env:
           - name: VSECM_LOG_LEVEL
             value: "7"

examples/multiple_secrets/k8s/Deployment.yaml

@@ -28,7 +28,7 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-multiple-secrets:0.26.0
+        image: vsecm/example-multiple-secrets:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket

examples/multiple_secrets/k8s/image-override.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: main
-        image: localhost:5000/example-multiple-secrets:0.26.0
+        image: localhost:5000/example-multiple-secrets:0.26.1
         env:
           - name: VSECM_LOG_LEVEL
             value: "7"

examples/operator_decrpyt_secrets/reveal.sh

@@ -9,7 +9,7 @@
 # <>/' Copyright 2023-present VMware Secrets Manager contributors.
 # >/'  SPDX-License-Identifier: BSD-2-Clause
 # */
-VERSION="0.26.0"
+VERSION="0.26.1"
 
 docker run --rm \
   -v "$(pwd)":/vsecm \

examples/using_init_container/k8s-eks/Deployment.yaml

@@ -28,13 +28,13 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-init-container:0.26.0
+        image: vsecm/example-using-init-container:0.26.1
 
       initContainers:
       # See `./register.sh` to register the workload and finalize
       # this init container.
       - name: init-container
-        image: vsecm/vsecm-ist-init-container:0.26.0
+        image: vsecm/vsecm-ist-init-container:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket

examples/using_init_container/k8s-eks/image-override.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: main
-        image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.26.0
+        image: public.ecr.aws/h8y1n7y7/example-using-init-container:0.26.1
       initContainers:
       - name: init-container
-        image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.0
+        image: public.ecr.aws/h8y1n7y7/vsecm-ist-init-container:0.26.1

examples/using_init_container/k8s/Deployment.yaml

@@ -28,13 +28,13 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-init-container:0.26.0
+        image: vsecm/example-using-init-container:0.26.1
 
       initContainers:
       # See `./register.sh` to register the workload and finalize
       # this init container.
       - name: init-container
-        image: vsecm/vsecm-ist-init-container:0.26.0
+        image: vsecm/vsecm-ist-init-container:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket

examples/using_init_container/k8s/image-override.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: main
-        image: localhost:5000/example-using-init-container:0.26.0
+        image: localhost:5000/example-using-init-container:0.26.1
       initContainers:
       - name: init-container
-        image: localhost:5000/vsecm-ist-init-container:0.26.0
+        image: localhost:5000/vsecm-ist-init-container:0.26.1

examples/using_sdk_go/k8s-eks/Deployment.yaml

@@ -28,7 +28,7 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-sdk-go:0.26.0
+        image: vsecm/example-using-sdk-go:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket

examples/using_sdk_go/k8s-eks/image-override.yaml

@@ -18,4 +18,4 @@ spec:
     spec:
       containers:
       - name: main
-        image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.26.0
+        image: public.ecr.aws/h8y1n7y7/example-using-sdk-go:0.26.1

examples/using_sdk_go/k8s/Deployment.yaml

@@ -28,7 +28,7 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-sdk-go:0.26.0
+        image: vsecm/example-using-sdk-go:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket

examples/using_sdk_go/k8s/image-override.yaml

@@ -18,4 +18,4 @@ spec:
     spec:
       containers:
       - name: main
-        image: localhost:5000/example-using-sdk-go:0.26.0
+        image: localhost:5000/example-using-sdk-go:0.26.1

examples/using_sidecar/k8s-eks/Deployment.yaml

@@ -28,13 +28,13 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-sidecar:0.26.0
+        image: vsecm/example-using-sidecar:0.26.1
         volumeMounts:
         # `main` shares this volume with `sidecar`.
         - mountPath: /opt/vsecm
           name: vsecm-secrets-volume
       - name: sidecar
-        image: vsecm/vsecm-ist-sidecar:0.26.0
+        image: vsecm/vsecm-ist-sidecar:0.26.1
         volumeMounts:
         # /opt/vsecm/secrets.json is the place the secrets will be at.
         - mountPath: /opt/vsecm

examples/using_sidecar/k8s-eks/image-override.yaml

@@ -18,6 +18,6 @@ spec:
     spec:
       containers:
       - name: main
-        image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.26.0
+        image: public.ecr.aws/h8y1n7y7/example-using-sidecar:0.26.1
       - name: sidecar
-        image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.26.0
+        image: public.ecr.aws/h8y1n7y7/vsecm-ist-sidecar:0.26.1

examples/using_sidecar/k8s/Deployment.yaml

@@ -28,13 +28,13 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-sidecar:0.26.0
+        image: vsecm/example-using-sidecar:0.26.1
         volumeMounts:
         # `main` shares this volume with `sidecar`.
         - mountPath: /opt/vsecm
           name: vsecm-secrets-volume
       - name: sidecar
-        image: vsecm/vsecm-ist-sidecar:0.26.0
+        image: vsecm/vsecm-ist-sidecar:0.26.1
         volumeMounts:
         # /opt/vsecm/secrets.json is the place the secrets will be at.
         - mountPath: /opt/vsecm

examples/using_sidecar/k8s/image-override.yaml

@@ -18,6 +18,6 @@ spec:
     spec:
       containers:
       - name: main
-        image: localhost:5000/example-using-sidecar:0.26.0
+        image: localhost:5000/example-using-sidecar:0.26.1
       - name: sidecar
-        image: localhost:5000/vsecm-ist-sidecar:0.26.0
+        image: localhost:5000/vsecm-ist-sidecar:0.26.1

examples/using_vsecm_inspector/Deployment.yaml

@@ -28,7 +28,7 @@ spec:
       serviceAccountName: vsecm-inspector
       containers:
         - name: main
-          image: localhost:5000/vsecm-inspector:0.26.0
+          image: localhost:5000/vsecm-inspector:0.26.1
           volumeMounts:
             - name: spire-agent-socket
               mountPath: /spire-agent-socket

examples/workshop_aegis/init-container/Deployment.yaml

@@ -28,7 +28,7 @@ spec:
       serviceAccountName: example
       containers:
       - name: main
-        image: vsecm/example-using-init-container:0.26.0
+        image: vsecm/example-using-init-container:0.26.1
         env:
         - name: SECRET
           valueFrom:
@@ -50,7 +50,7 @@ spec:
       # See `./register.sh` to register the workload and finalize
       # this init container.
       - name: init-container
-        image: vsecm/vsecm-ist-init-container:0.26.0
+        image: vsecm/vsecm-ist-init-container:0.26.1
         volumeMounts:
         # Volume mount for SPIRE unix domain socket.
         - name: spire-agent-socket