DIST:
- CI
- Build with Golang 1.21
- Dependency updates
DIST:
- CI
- Build with Golang 1.20.6
- Dependency updates
DIST:
- CI
- Dependency updates
DIST:
- CI
- Build with Golang 1.20.5
- Enable Golang memory arenas
- Golang 1.18 removed from supported toolchain versions
FEATURES:
- container/seal:
- Support Pre-shared Key sealing to reduce blast radius in the case of an identity leak. #106
DIST:
- CI:
- Build with Golang 1.19.2
BREAKING-CHANGES:
- Package renamed from
github.com/elastic/harp
tozntr.io/harp/v2
.
DIST:
-
First version from
zntrio
fork -
sdk/tools:
- github.com/daixiang0/gci v0.4.3
- github.com/elastic/go-licenser v0.4.1
- github.com/golangci/golangci-lint v1.47.1
- github.com/magefile/mage v1.13.0
- google.golang.org/protobuf v1.28.0
- gotest.tools/gotestsum v1.8.1
- mvdan.cc/gofumpt v0.3.1
-
CI:
- Build with Golang 1.18.4
DIST:
- CI:
- fix cosign public key location.
BREAKING-CHANGES:
- FIPS artifacts are disabled by default on GitHub Actions CI but still can be built locally.
harp-artifacts
containing all harp binaries will not be produced anymore.
FEATURES:
-
cli/lint:
- Provide command to Lint YAML/JSON content for
Bundle
,BundleTemplate
,RuleSet
andBundlePatch
. #138
- Provide command to Lint YAML/JSON content for
-
cli/render:
- Generate a configuration file system from an archive. #149
-
cli/template:
- Support archive as file loader.
-
sdk/api:
-
sdk/crate:
- A crate is an OCI Compatible image which can be pushed to OCI compliant registries.
crate push
is used to prepare acrate
with asealed container
and optionally an archive - OCI Push #138- This is used to publish the sealed container and the templates used to render the final configuration.
crate copy
is used to retrieve a remote crate from a registry. #147
DIST:
- docker:
- Multi-architecture docker images are produced.
FEATURES:
-
cli:
darwin-amd64
anddarwin-arm64
are code signed and notarized using an Apple Developer ID certificate to allow harp execution on Silicon M1 based computers. #134
-
cli/transform:
-
bundle/ruleset:
- enable
rego
language for RuleSet constraint engine. #134
- enable
-
sdk/api:
- support
user_data
forBundle
,Package
,SecretChain
to store custom arbitrary data during pipeline execution. #134
- support
-
sdk/value:
CHANGES:
-
go:
- FIPS artifact build process is disabled.
-
git:
- the tag
cmd/harp/vX.XX
will never be produced.
- the tag
-
ci:
dependabot
setup to monitor and automate dependency updates.- the release pipeline has been completely redesigned to use goreleaser.
- SLSA
provenance
is temporary disabled due to a lack of the multiplatform support for the used action.
DIST:
-
build/ci:
- SHA256 fingerprint is provided per artifact.
- SBOM is embedded in the artifact archive.
-
build/gha:
- zntrio/harp-installer github action could be used to set up harp during your github action pipelines.
FEATURES:
- bundle/from:
- read a
HCL
bundle descriptor to generate the binary bundle. #114
- read a
- bundle/patch:
- bundle/selector:
DIST:
- go: Build with Golang 1.17.7.
- go-boring: Build with Golang 1.17.7b7.
FEATURES:
- template/engine:
isodate
time formatter to RFC3389 date format.
- bundle/pipeline:
- Support custom input reader and output writer. #105
- bundle/selector:
- sdk/value:
DIST
- go: Build with Golang 1.17.6.
- build/ci
- Add SLSA Level 1 - Provenance generation step for binaries.
- Add Snyk as code / dependencies scanner via SARIF.
- Add Trivy dependencies scanner via SARIF.
FEATURES:
- api/proto:
BundlePatch
:PatchOperation
object supportsreplaceKeys
used to replace a key in the secret data
- cmd/to:
github-actions
secret exporter has been implemented to export all the filtered secret of a bundle as GitHub Repository Secrets.
- template/engine #95
parseJwt
to parse JWT without signature validationverifyJwt
to parse a JWT with signature validation
- template/engine #97
parsePemCertificate
to decode a PEM content as a certificateparsePemCertificateBundle
to decode a PEM content as a collection of certificatesparsePemCertificateRequest
to decode a PEM content as a certificate requesttoTLSA
to generate a TLSA-DANE fingerprint from a given certificate
CHANGES:
-
sdk/dep: #100
- github.com/fernet/fernet-go v0.0.0-20211208181803-9f70042a33ee
- github.com/gosimple/slug v1.12.0
- github.com/hashicorp/consul/api v1.12.0
- github.com/hashicorp/vault/api v1.30.1
- github.com/magefile/mage v1.12.1
- github.com/spf13/afero v1.8.0
- github.com/spf13/cobra v1.3.0
- github.com/spf13/viper v1.10.1
- go.step.sm/crypto v0.15.0
- go.uber.org/zap v1.20.0
- golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
- golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
- golang.org/x/sys v0.0.0-20211210111614-af8b64212486
- google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350
- google.golang.org/grpc v1.44.0
-
sdk/tools:
- Replace
go-header
dependency bygithub.com/denis-tingaikin/go-header
to prevent a possible identity spoofing. #96 - github.com/golangci/golangci-lint v1.44.0
- Replace
DIST:
- go-boring: Build with Golang 1.17.6.
DIST:
- Github actions release automation
- go: Build with Golang 1.17.6.
FEATURES:
- container/seal: introduce a naming convention for identity and container keys. #89
- cmd/transform #90
encrypt
/decrypt
apply symmetric encryption transformerencode
/decode
apply encoding/decoding to given inputsign
/verify
apply signature algorithm or verify a signature from the given input
- cmd/keygen: JWK Key pair generation #90
CHANGES:
- cso/v1: Meta ring only require one path component. #90
- container/seal: Modern FIPS compatible container sealing process (ECDH+AES256-CTR+HMAC-SHA384 / ECDSA P-384 / HMAC-SHA512). #89
- crypto/paseto: move PASETO v4 primitives to
sdk/security/paseto/v4
. #87 - sdk/deps #91
- GHSA - Security freeze
- github.com/opencontainers/image-spec v1.0.2
- github.com/opencontainers/runc v1.0.3
- github.com/hashicorp/hcl/v2 v2.11.1
- github.com/ory/dockertest/v3 v3.8.1
- golang.org/x/crypto v0.0.0-20210915214749-c084706c2272
- golang.org/x/sys v0.0.0-20210915083310-ed5796bab164
- golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1
- google.golang.org/genproto v0.0.0-20211207154714-918901c715cf
- GHSA - Security freeze
- cmd/transform: Deprecate
encryption
sub command in favor ofencrypt
anddecrypt
. #90
DIST:
- go: Build with Golang 1.17.5.
- nix/shell: Expose
shell.nix
to get a consistent development environment. #87
CHANGES:
- cso/v1: Support new Azure and IBM regions. #84
BREAKING-CHANGES:
- cmd/ruleset: Ruleset generation from a Bundle has been relocated to
to ruleset
command. #77 - bundle/filter: parameter
--jmespath
as been renamed to--query
. #77 - bundle/dump: parameter
--jmespath
as been renamed to--query
. #77 - deprecation: package
github.com/elastic/harp/pkg/bundle/vfs
has been removed. The Golang 1.16fs.FS
implementation must be used and located atgithub.com/elastic/harp/pkg/bundle/fs
. #77 - container/identity: identities are using
ed25519
key pairs vsx25519
keys in previous versions. For conversion, you can still unseal a container using oldx25519
key based identities, but you can't seal with them. To be future-proof, you have to regenerate new identities. #79 - sdk/transformer: Encryption transformers must be imported to be registered in the encryption transformer registry. #80
FEATURES:
- bundle/encryption: Partial bundle encryption based on annotations. #77
- task/bundle: Fully unit tested. #77
- core/kv: Support KV Store publication for Etcd3/Zookeeper/Consul. #77
- value/transformer: Transformer mock is available for testing. #77
- value/encryption: Expose
encryption.Must(value.Transformer, error)
to build a transformer instance with a panic raised on error. #77 - sdk/cmdutil:
DiscardWriter()
is aio.Writer
provider used to discard all output. #77 - sdk/cmdutil:
DirectWriter(io.Writer)
is aio.Writer
provider used to delegate to input writer. #77 - sdk/cmdutil:
NewClosedWriter()
is aio.Writer
implementation who always return onWrite()
calls. #77 - pkg/kv: integration tests and behavior validation test suite. #78
- value/transformers: expose new JWE based encryption transformers #80
jwe:a128kw:<base64>
to initialize a AES128 Key Wrapper with AES128 GCM Encryption transformerjwe:a192kw:<base64>
to initialize a AES192 Key Wrapper with AES192 GCM Encryption transformerjwe:a256kw:<base64>
to initialize a AES256 Key Wrapper with AES256 GCM Encryption transformerjwe:pbes2-hs256-a128kw:<ascii>
to initialize a PBES2 key derivation function for AES128 key wrapping with AES128 GCM Encryption transformerjwe:pbes2-hs384-a192kw:<ascii>
to initialize a PBES2 key derivation function for AES192 key wrapping with AES192 GCM Encryption transformerjwe:pbes2-hs512-a256kw:<ascii>
to initialize a PBES2 key derivation function for AES256 key wrapping with AES256 GCM Encryption transformer
- sdk/transformer: Encryption transformer dynamic factory. #80
- Use
pkg/value/encryption.Register(prefix, factory)
to register a transformer factory matching the given prefix.
- Use
- bundle/prefixer: parameter
--remove
added to support prefix removal operation. #81 - to/object: support
toml
format as output. #81 - value/transformer: Support PASETO
v4.local
transformer. #82
CHANGES:
- container/identity: converge to
value.Transformer
usage for identity protection. #81 - container/recover: converge to
value.Transformer
usage for container key recovery from an identity. #81 - sdk/types:
IsNil()
now recognize nil function pointer. #77 - sdk/dep: #79
- github.com/google/gops v0.3.22
- github.com/gosimple/slug v1.11.2
- github.com/hashicorp/consul/api v1.11.0
- github.com/hashicorp/vault/api v1.3.0
- github.com/zclconf/go-cty v1.10.0
- go.step.sm/crypto v0.13.0
- golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa
- golang.org/x/sys v0.0.0-20211113001501-0c823b97ae02
- google.golang.org/genproto v0.0.0-20211112145013-271947fe86fd
- google.golang.org/grpc v1.42.0
DIST:
- go: Build with Golang 1.17.3.
- tools: Update
golangci-lint
tov1.43.0
. #76 - docs: General review for typo / grammar.
BREAKING-CHANGES:
- Metadata storage has been modified to support a JSON level complexity. All plugins must align their metadata management to the new format.
DIST:
- go: Build with Golang 1.17.2.
- homebrew: Approriate harp version can be installed according to your platform architecture and OS #71
CHANGES:
- core/vault: Replace JSON encoded metadata in secret data by a JSON object. #68
- crypto/pem: Delegate PEM encoding/decoding to
go.step.sm/crypto
#73
FEATURES:
- to/vault: Support Vault >1.9 custom metadata for bundle metadata publication. #68
- from/vault: Support Vault >1.9 custom metadata for bundle metadata retrieval. #68
- from/vault: Support legacy bundle metadata format. #69
- template/engine:
jsonEscape
/jsonUnescape
is added to handle string escaping using JSON character escaping strategy #70 - template/engine:
unquote
is added to unquote aquote
escaped string. #70 - bundle/prefixer: Globally add a prefix to all secret packages. #74
- plugin/kv: Promote harp-kv as builtin. #75
CHANGES:
- go: Build with Golang 1.17.1.