Skip to content

Sealed Secrets

v0.37.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 13d GitOps
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

devops-workflow encrypt-secrets gitops kubernetes kubernetes-secrets

ReleasePort's take

Moderate signal
editorial:auto 13d

Sealed Secrets v0.37.0 patches golang.org/x/crypto for security and hardens GitHub Actions token permissions. Updates Kubernetes client dependencies to 0.36.1 and fixes OCI push functionality.

Why it matters: Apply this patch to secure golang.org/x/crypto and harden CI/CD token permissions. Updates Kubernetes clients to 0.36.1 for compatibility. Test new plaintext template.data exposure in dev before deploying.

Summary

AI summary

Updates 2026-05-21T14:29:22Z, https://formulae.brew.sh/formula/kubeseal, and https://ports.macports.org/port/kubeseal/summary across a mixed release.

Changes in this release

Security Medium

Adds explicit GITHUB_TOKEN permissions to CI/CD workflows

Adds explicit GITHUB_TOKEN permissions to CI/CD workflows

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Introduces cooldown period for dependency updates and updates Kubernetes support

Introduces cooldown period for dependency updates and updates Kubernetes support

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Exposes plaintext template.data values in template rendering context

Exposes plaintext template.data values in template rendering context

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Bumps Kubernetes API, client-go, apimachinery and code-generator to 0.36.1

Bumps Kubernetes API, client-go, apimachinery and code-generator to 0.36.1

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates Go language runtime to 1.26.3

Updates Go language runtime to 1.26.3

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates distroless/static container image base

Updates distroless/static container image base

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates github.com/mattn/go-isatty to 0.0.21

Updates github.com/mattn/go-isatty to 0.0.21

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates github.com/onsi/ginkgo/v2 to 2.28.3

Updates github.com/onsi/ginkgo/v2 to 2.28.3

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates golang.org/x/crypto to 0.50.0 for security

Updates golang.org/x/crypto to 0.50.0 for security

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates k8s.io/client-go to 0.35.4

Updates k8s.io/client-go to 0.35.4

Source: llm_adapter@2026-05-21

Confidence: high
Dependency Medium

Updates k8s.io/code-generator to 0.35.4

Updates k8s.io/code-generator to 0.35.4

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Fixes OCI push functionality

Fixes OCI push functionality

Source: llm_adapter@2026-05-21

Confidence: high
Refactor Medium

Corrects typo `occured` to `occurred` in README

Corrects typo `occured` to `occurred` in README

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

v0.37.0 (2026-05-21T14:29:22Z)

New v0.37.0 release!

Changelog

  • 208c1e4e984871ef8bbe609a6b9f678b4f63e471 Bump 0.36.1 api,client-go,apimachinery and code-generator (#1965)
  • 7da6cc6005aacbc9e451c5a1aa5d58c44f615bc2 Bump Go version to 1.26.3 (#1966)
  • 7f1392e7a8cdc80dc191b1bac73a1b314c3d4f96 Bump distroless/static from 47b2d72 to 3592aa8 in /docker (#1964)
  • 4165330bec30aeaf6b6ead375f73eb99e9363225 Bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#1943)
  • 3897afa1014c88125242ce752c4a29072b2678e8 Bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 (#1954)
  • 0ecd79a2cd48d1d95fb85bc9bea67624ee95d107 Bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.3 (#1956)
  • 77fb71c4d892f019b7ff406826d8292ed7119e01 Bump golang.org/x/crypto from 0.49.0 to 0.50.0 (#1942)
  • 1362d36448deb30f103a63ab3e6585fbe60d655d Bump golang.org/x/crypto from 0.50.0 to 0.51.0 (#1957)
  • f91e690a566ea88e4692b7f58f2af2314d7ad5fe Bump k8s.io/client-go from 0.35.3 to 0.35.4 (#1947)
  • 9bf8cd0fde2a02d5a8eef452b06abcdeec0b95c2 Bump k8s.io/code-generator from 0.35.3 to 0.35.4 (#1946)
  • 4d6122fca25a11730726e6c712db969e472e7d05 Cooldown period for dependency updates and update K8S support (#1955)
  • 8c3d506ac63c10c6bb5a6267a61f916b7d97aa76 Expose plaintext template.data values in template rendering context (#1940)
  • 00f0e5be5d38552b510dd5edd6f01ab8444c0ab4 Fix oci push (#1967)
  • 8e4ed463552a6a6462648a9ff090a1f42abbda30 Release notes v0.37.0 (#1968)
  • 86671a8851be1e6c2dfef4e12e2d7c19ed24ac94 chore: typo occured -> occurred in prometheus-mixin README (#1949)
  • ce3fec4e80c22f2f18fd493b89ac6b531700a5f6 fix: add explicit GITHUB_TOKEN permissions to workflows (#1933)

Installation Instructions

Cluster-side

Install the SealedSecret CRD and server-side controller into the kube-system namespace:

kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.37.0/controller.yaml

Client-side

Install the client-side tool into /usr/local/bin/:

Linux x86_64:

curl -OL "https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.37.0/kubeseal-0.37.0-linux-amd64.tar.gz"
tar -xvzf kubeseal-0.37.0-linux-amd64.tar.gz kubeseal
sudo install -m 755 kubeseal /usr/local/bin/kubeseal

macOS:
The kubeseal client is available on homebrew:

brew install kubeseal

MacPorts:

The kubeseal client is available on MacPorts:

port install kubeseal

Nixpkgs

The kubeseal client is available on Nixpkgs: (DISCLAIMER: Not maintained by bitnami-labs)

nix-env -iA nixpkgs.kubeseal

Other OS/Arch:
Binaries for other OS/arch combinations are attached to this release below.

If you just want the latest client tool, it can be installed into
$GOPATH/bin with:

go install github.com/bitnami-labs/sealed-secrets/cmd/kubeseal@main

You can specify a release tag or a commit SHA instead of main.

The go install command will place the kubeseal binary at $GOPATH/bin:

$(go env GOPATH)/bin/kubeseal

Release Notes

Please read the RELEASE_NOTES which contain among other things important information for those upgrading from previous releases.

Thanks!

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Sealed Secrets

Get notified when new releases ship.

Sign up free

About Sealed Secrets

A Kubernetes controller and tool for one-way encrypted Secrets

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]