kubekrypt 2.2.0 → 2.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0fc12e50c4083f740004c80424c20d28abbdf9254be9e2c81752fa53c5b2ee9d
-  data.tar.gz: 1c72fef635ece42c16605893d8580234ff0efb63e147bd99ab6e9d08ee6b52a7
+  metadata.gz: 101ea0dd17b015654925f7c24ff7101073f390a9d0784fa618017e1203392bc5
+  data.tar.gz: 6c1949385152a207dc3019723ab9709b171a871b3430f3d8cd900c6205119bde
 SHA512:
-  metadata.gz: a4cf83f02bda125ed63c86ef872b023aac37393b1523bda8c583e60eef46e48c0e9e85fecfc0b4625158746a5cc9e643544e2d1f8a176fa6adad28e4f122c9ec
-  data.tar.gz: 46ec255f4439a16e280f2cc666d16be278e463ea108cd8cfd3d8dedc7b1e73b0bc2917ba9f816d3d6ae64ab1dcf6e306fad6ca8686e7390a466293db424c0ffe
+  metadata.gz: 8d562fc536f8c11e37068e03fafcbe053534306b4c6835677b414e3ddea568f0ef1d10e216968d8ae4805369eb18f994e89ab45c4a929c29e43ba694617529ad
+  data.tar.gz: f28b90f7de3488c3f64982d11e6571355b7e5a7f13fe31c758d480f821b5c941ba1ef3770d2bcc0529fba4b92c57c003c510f948b0f715639e51d7c80b21f46b

data/.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
         ruby-version: [3.4, 4.0]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [2.2.3] - 2026-06-14
+
+### Fixed
+- `encrypt` and `decrypt` now raise `InvalidSecretError` when the manifest has no `data` key, instead of silently passing the content through. Previously such a manifest was printed back **unencrypted** in Ruby-inspect format — easy to redirect into an `.enc.yaml` file and commit plaintext secrets without noticing.
+
+## [2.2.2] - 2026-03-31
+
+### Changed
+- Removed upper bound version constraint on `grpc` dependency
+
+## [2.2.1] - 2026-03-24
+
+### Fixed
+- Removed `kind: Secret` validation which broke manifests that omit the `kind` field
+
 ## [2.2.0] - 2026-03-24
 
 ### Added

data/Gemfile

@@ -8,4 +8,3 @@ gem "pry"
 gem "rake"
 gem "rspec"
 gem "standardrb"
-gem "rdoc"

data/Gemfile.lock

@@ -1,24 +1,24 @@
 PATH
   remote: .
   specs:
-    kubekrypt (2.2.0)
+    kubekrypt (2.2.3)
       google-cloud-kms
-      grpc (< 1.74.0)
+      grpc
       thor (>= 1.0)
       yaml
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.9)
+    addressable (2.9.0)
       public_suffix (>= 2.0.2, < 8.0)
     ast (2.4.3)
     base64 (0.3.0)
-    bigdecimal (4.0.1)
+    bigdecimal (4.1.2)
     coderay (1.1.3)
     date (3.5.1)
     diff-lcs (1.6.2)
-    erb (6.0.2)
+    erb (6.0.4)
     faraday (2.14.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
@@ -55,19 +55,19 @@ GEM
     google-cloud-location (1.3.0)
       gapic-common (~> 1.2)
       google-cloud-errors (~> 1.0)
-    google-iam-v1 (1.5.1)
+    google-iam-v1 (1.6.1)
       gapic-common (~> 1.2)
       google-cloud-errors (~> 1.0)
       grpc-google-iam-v1 (~> 1.11)
     google-logging-utils (0.2.0)
-    google-protobuf (4.34.1)
+    google-protobuf (4.35.0)
       bigdecimal
       rake (~> 13.3)
     googleapis-common-protos (1.7.0)
       google-protobuf (>= 3.18, < 5.a)
       googleapis-common-protos-types (~> 1.7)
       grpc (~> 1.41)
-    googleapis-common-protos-types (1.22.0)
+    googleapis-common-protos-types (1.23.0)
       google-protobuf (~> 4.26)
     googleauth (1.16.2)
       faraday (>= 1.0, < 3.a)
@@ -77,7 +77,7 @@ GEM
       multi_json (~> 1.11)
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
-    grpc (1.73.0)
+    grpc (1.81.0)
       google-protobuf (>= 3.25, < 5.0)
       googleapis-common-protos-types (~> 1.0)
     grpc-google-iam-v1 (1.11.0)
@@ -85,24 +85,24 @@ GEM
       googleapis-common-protos (~> 1.7.0)
       grpc (~> 1.41)
     io-console (0.8.2)
-    irb (1.17.0)
+    irb (1.18.0)
       pp (>= 0.6.0)
       prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.19.2)
+    json (2.19.3)
     jwt (3.1.2)
       base64
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
     method_source (1.1.0)
-    multi_json (1.19.1)
+    multi_json (1.20.1)
     net-http (0.9.1)
       uri (>= 0.11.1)
     os (1.1.4)
-    parallel (1.27.0)
-    parser (3.3.10.2)
+    parallel (1.28.0)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
     pp (0.6.3)
@@ -119,12 +119,12 @@ GEM
     public_suffix (7.0.5)
     racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.3.1)
+    rake (13.4.2)
     rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort
-    regexp_parser (2.11.3)
+    regexp_parser (2.12.0)
     reline (0.6.3)
       io-console (~> 0.5)
     rspec (3.13.2)
@@ -196,9 +196,8 @@ DEPENDENCIES
   kubekrypt!
   pry
   rake
-  rdoc
   rspec
   standardrb
 
 BUNDLED WITH
-   2.7.1
+  4.0.9

data/LICENSE

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2025 Krzysztof Knapik
+Copyright (c) 2026 Krzysztof Knapik
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/kubekrypt.gemspec

@@ -27,7 +27,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "google-cloud-kms"
-  spec.add_dependency "grpc", "< 1.74.0" # 1.74.0 & google-cloud-kms produce segmentation fault errors
+  spec.add_dependency "grpc"
   spec.add_dependency "thor", ">= 1.0"
   spec.add_dependency "yaml"
 end

data/lib/kubekrypt/cli.rb

@@ -44,9 +44,7 @@ module KubeKrypt
     end
 
     def load_secret(file_path)
-      content = YAML.safe_load_file(file_path)
-      raise InvalidSecretError, "#{file_path} is not a Kubernetes Secret" unless content["kind"] == "Secret"
-      content
+      YAML.safe_load_file(file_path)
     rescue Psych::Exception => e
       raise InvalidSecretError, "#{file_path} is not valid YAML: #{e.message}"
     end

data/lib/kubekrypt/decryptor.rb

@@ -20,7 +20,9 @@ module KubeKrypt
     end
 
     def self.call(content:, base64:)
-      return content unless content["data"]
+      unless content["data"]
+        raise InvalidSecretError, "no data key found — nothing to decrypt"
+      end
 
       key_name = content.fetch(METADATA_KEY).fetch(KMS_KEY.to_s)
       decryptor = new(key_name)

data/lib/kubekrypt/encryptor.rb

@@ -14,7 +14,10 @@ module KubeKrypt
     end
 
     def self.call(content:, key_name:)
-      return content unless content["data"]
+      unless content["data"]
+        raise InvalidSecretError,
+          "no data key found — refusing to write the manifest through unencrypted"
+      end
 
       encryptor = new(key_name)
 

data/lib/kubekrypt/version.rb

@@ -1,3 +1,3 @@
 module KubeKrypt
-  VERSION = "2.2.0".freeze
+  VERSION = "2.2.3".freeze
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kubekrypt
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.3
 platform: ruby
 authors:
 - Krzysztof Knapik
@@ -27,16 +27,16 @@ dependencies:
   name: grpc
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "<"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.74.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "<"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.74.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
@@ -111,7 +111,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.8
+rubygems_version: 4.0.10
 specification_version: 4
 summary: KubeKrypt provides seamless encryption and decryption of Kubernetes Secret
   menifests using Google Cloud KMS