Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chris Farhood
|
fb5573cd9e | ||
 privilegedescalation-engineer[bot]
|
67602fb279 | ||
|
privilegedescalation-engineer[bot]
|
ecdee4a95a | ||
|
privilegedescalation-engineer[bot]
|
0c2132b013 | ||
|
privilegedescalation-engineer[bot]
|
780f58f9d9 | ||
|
privilegedescalation-ceo[bot]
|
d1ea2fa36e | ||
|
privilegedescalation-engineer[bot]
|
9b385b95a3 |
@@ -16,3 +16,5 @@ jobs:
|
||||
dual-approval:
|
||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
||||
secrets: inherit
|
||||
with:
|
||||
pr_number: ${{ github.event.pull_request.number }}
|
||||
|
||||
@@ -151,7 +151,7 @@ Plaintext values never leave your browser.
|
||||
| Network sniffing | No plaintext on network | ✅ Protected |
|
||||
| Compromised proxy | Only sees encrypted data | ✅ Protected |
|
||||
| Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |
|
||||
| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |
|
||||
| Supply chain | Package locks, Renovate | ⚠️ Ongoing monitoring |
|
||||
|
||||
See: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md)
|
||||
|
||||
|
||||
+1
-1
@@ -70,7 +70,7 @@ Key dependencies with security implications:
|
||||
- **node-forge**: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date.
|
||||
- **@kinvolk/headlamp-plugin**: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation.
|
||||
|
||||
The project uses `npm audit` and Dependabot to monitor for known vulnerabilities.
|
||||
The project uses `npm audit` and Renovate to monitor for known vulnerabilities.
|
||||
|
||||
## Contact
|
||||
|
||||
|
||||
+4
-4
@@ -1,6 +1,6 @@
|
||||
# Artifact Hub package metadata file
|
||||
# https://github.com/artifacthub/hub/blob/master/docs/metadata/artifacthub-pkg.yml
|
||||
version: "1.0.1"
|
||||
version: "1.0.2"
|
||||
name: headlamp-sealed-secrets
|
||||
displayName: Sealed Secrets
|
||||
createdAt: "2026-02-12T00:00:00Z"
|
||||
@@ -19,8 +19,8 @@ keywords:
|
||||
- encryption
|
||||
- security
|
||||
annotations:
|
||||
headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v1.0.1/sealed-secrets-1.0.1.tar.gz"
|
||||
headlamp/plugin/archive-checksum: sha256:a7935aac260dd08d1363321e8d2320d9f9feee74e47bf51d95a6df4bd33f7f16
|
||||
headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v1.0.2/sealed-secrets-1.0.2.tar.gz"
|
||||
headlamp/plugin/archive-checksum: sha256:0eaf34d380d133120d3a50c890e0c96b23717427887b1f23377a841cb3783b11
|
||||
headlamp/plugin/version-compat: ">=0.13.0"
|
||||
headlamp/plugin/distro-compat: "desktop,in-cluster,web,docker-desktop"
|
||||
links:
|
||||
@@ -73,4 +73,4 @@ maintainers:
|
||||
recommendations:
|
||||
- url: https://artifacthub.io/packages/helm/sealed-secrets/sealed-secrets
|
||||
provider:
|
||||
name: privilegedescalation
|
||||
name: privilegedescalation
|
||||
|
||||
@@ -349,7 +349,7 @@ Added type safety:
|
||||
|
||||
**Supply Chain**:
|
||||
- Risk: Compromised node-forge dependency
|
||||
- Mitigation: Package lock, dependabot, regular audits
|
||||
- Mitigation: Package lock, Renovate, regular audits
|
||||
- Same risk as any JavaScript dependency
|
||||
|
||||
**Browser Extensions**:
|
||||
|
||||
+4
-2
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "sealed-secrets",
|
||||
"version": "1.0.1",
|
||||
"version": "1.0.2",
|
||||
"description": "Headlamp plugin for Bitnami Sealed Secrets - manage encrypted Kubernetes secrets",
|
||||
"files": [
|
||||
"dist",
|
||||
@@ -51,7 +51,9 @@
|
||||
],
|
||||
"overrides": {
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3"
|
||||
"undici": "^7.24.3",
|
||||
"vite": ">=6.4.2",
|
||||
"lodash": ">=4.18.0"
|
||||
},
|
||||
"dependencies": {
|
||||
"node-forge": "^1.4.0"
|
||||
|
||||
Generated
+1165
-751
File diff suppressed because it is too large
Load Diff
@@ -5,7 +5,7 @@
|
||||
# a ConfigMap volume mount. No custom Docker images — the plugin is built
|
||||
# in CI and injected as a ConfigMap.
|
||||
#
|
||||
# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
|
||||
# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
|
||||
# persists beyond the test run — teardown cleans up all created resources.
|
||||
#
|
||||
# Prerequisites:
|
||||
@@ -14,7 +14,7 @@
|
||||
# - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
|
||||
#
|
||||
# Environment:
|
||||
# E2E_NAMESPACE — namespace for E2E Headlamp (default: privilegedescalation-dev)
|
||||
# E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-dev)
|
||||
# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e)
|
||||
# HEADLAMP_VERSION — Headlamp image tag (default: latest)
|
||||
set -euo pipefail
|
||||
@@ -22,7 +22,7 @@ set -euo pipefail
|
||||
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
DIST_DIR="$REPO_ROOT/dist"
|
||||
|
||||
E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
|
||||
E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
|
||||
E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
|
||||
HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
|
||||
|
||||
|
||||
@@ -4,13 +4,13 @@
|
||||
# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
|
||||
#
|
||||
# Environment:
|
||||
# E2E_NAMESPACE — namespace to clean up (default: privilegedescalation-dev)
|
||||
# E2E_NAMESPACE — namespace to clean up (default: headlamp-dev)
|
||||
# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e)
|
||||
set -euo pipefail
|
||||
|
||||
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
|
||||
E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
|
||||
E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
|
||||
E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
|
||||
|
||||
echo "=== E2E Headlamp Teardown ==="
|
||||
|
||||
Reference in New Issue
Block a user