feat(helm)!: Update Chart external-secrets (0.20.4 → 2.3.0)#1216
Open
pipelines-github-app[bot] wants to merge 1 commit intomainfrom
Open
feat(helm)!: Update Chart external-secrets (0.20.4 → 2.3.0)#1216pipelines-github-app[bot] wants to merge 1 commit intomainfrom
pipelines-github-app[bot] wants to merge 1 commit intomainfrom
Conversation
pipelines-github-app
bot
added
app/external-secrets
Contributor
Author
--- main/external-secrets_gitops_manifests_external-secrets_genmachine_manifest_main.yaml 2026-04-16 05:25:12.592360203 +0000
+++ pr/external-secrets_gitops_manifests_external-secrets_genmachine_manifest_pr.yaml 2026-04-16 05:25:11.862362388 +0000
@@ -1,71 +1,71 @@
---
# Source: external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-cert-controller
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.3.0
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.3.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/charts/external-secrets/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.3.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.3.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-webhook
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.3.0
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.3.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/templates/clusterSecretStore.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: eso-auth
namespace: external-secrets
---
# Source: external-secrets/charts/external-secrets/templates/webhook-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: external-secrets-webhook
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.3.0
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.3.0"
app.kubernetes.io/managed-by: Helm
external-secrets.io/component: webhook
---
# Source: external-secrets/templates/clusterSecretStore.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: eso-auth
namespace: external-secrets
@@ -485,20 +485,27 @@
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
default: None
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum:
- None
- Fetch
type: string
+ nullBytePolicy:
+ default: Ignore
+ description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
+ enum:
+ - Ignore
+ - Fail
+ type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
@@ -612,20 +619,27 @@
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
default: None
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum:
- None
- Fetch
type: string
+ nullBytePolicy:
+ default: Ignore
+ description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
+ enum:
+ - Ignore
+ - Fail
+ type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
find:
@@ -649,20 +663,27 @@
- Base64URL
- None
type: string
name:
description: Finds secrets based on the name.
properties:
regexp:
description: Finds secrets base
type: string
type: object
+ nullBytePolicy:
+ default: Ignore
+ description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
+ enum:
+ - Ignore
+ - Fail
+ type: string
path:
description: A root path to start the find operations.
type: string
tags:
additionalProperties:
type: string
description: Find secrets based on tags.
type: object
type: object
rewrite:
@@ -805,27 +826,27 @@
description: Name of the SecretStore resource
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
type: object
type: object
type: array
refreshInterval:
- default: 1h
+ default: 1h0m0s
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
specified as Golang Duration strings.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
+ Example values: "1h0m0s", "2h30m0s", "10m0s"
+ May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
type: string
refreshPolicy:
description: |-
RefreshPolicy determines how the ExternalSecret should be refreshed:
- CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
No periodic updates occur if refreshInterval is 0.
- OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum:
- CreatedOnce
@@ -875,20 +896,39 @@
DeletionPolicy defines rules on how to delete the resulting Secret.
Defaults to "Retain"
enum:
- Delete
- Merge
- Retain
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
+ manifest:
+ description: |-
+ Manifest defines a custom Kubernetes resource to create instead of a Secret.
+ When specified, ExternalSecret will create the resource type defined here
+ (e.g., ConfigMap, Custom Resource) instead of a Secret.
+ Warning: Using Generic target. Make sure access policies and encryption are properly configured.
+ properties:
+ apiVersion:
+ description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
+ minLength: 1
+ type: string
+ kind:
+ description: Kind of the target resource (e.g., "ConfigMap", "Application")
+ minLength: 1
+ type: string
+ required:
+ - apiVersion
+ - kind
+ type: object
name:
description: |-
The name of the Secret resource to be managed.
Defaults to the .metadata.name of the ExternalSecret resource
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
template:
description: Template defines a blueprint for the created Secret resource.
@@ -1002,36 +1042,37 @@
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
- name
type: object
target:
default: Data
- description: TemplateTarget specifies where the rendered templates should be applied.
- enum:
- - Data
- - Annotations
- - Labels
+ description: |-
+ Target specifies where to place the template result.
+ For Secret resources, common values are: "Data", "Annotations", "Labels".
+ For custom resources (when spec.target.manifest is set), this supports
+ nested paths like "spec.database.config" or "data".
type: string
type: object
type: array
type:
type: string
type: object
type: object
type: object
namespaceSelector:
description: |-
The labels to select by to find the Namespaces to create the ExternalSecrets in.
+
Deprecated: Use NamespaceSelectors instead.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
@@ -1114,20 +1155,21 @@
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
namespaces:
description: |-
Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+
Deprecated: Use NamespaceSelectors instead.
items:
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: array
refreshTime:
description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
type: string
@@ -1546,27 +1588,27 @@
description: Name of the SecretStore resource
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
type: object
type: object
type: array
refreshInterval:
- default: 1h
+ default: 1h0m0s
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
specified as Golang Duration strings.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
+ Example values: "1h0m0s", "2h30m0s", "10m0s"
+ May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
type: string
refreshPolicy:
description: |-
RefreshPolicy determines how the ExternalSecret should be refreshed:
- CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
No periodic updates occur if refreshInterval is 0.
- OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum:
- CreatedOnce
@@ -1847,20 +1889,21 @@
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
namespaces:
description: |-
Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+
Deprecated: Use NamespaceSelectors instead.
items:
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: array
refreshTime:
description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
type: string
@@ -2751,20 +2794,28 @@
length:
default: 24
description: |-
Length of the password to be generated.
Defaults to 24
type: integer
noUpper:
default: false
description: Set NoUpper to disable uppercase characters
type: boolean
+ secretKeys:
+ description: |-
+ SecretKeys defines the keys that will be populated with generated passwords.
+ Defaults to "password" when not set.
+ items:
+ type: string
+ minItems: 1
+ type: array
symbolCharacters:
description: |-
SymbolCharacters specifies the special characters that should be used
in the generated password.
type: string
symbols:
description: |-
Symbols specifies the number of symbol characters in the generated
password. If omitted it defaults to 25% of the length of the password
type: integer
@@ -2815,31 +2866,33 @@
- serviceAccountRef
type: object
sshKeySpec:
description: SSHKeySpec controls the behavior of the ssh key generator.
properties:
comment:
description: Comment specifies an optional comment for the SSH key
type: string
keySize:
description: |-
- KeySize specifies the key size for RSA keys (default: 2048)
+ KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
For RSA keys: 2048, 3072, 4096
+ For ECDSA keys: 256, 384, 521
Ignored for ed25519 keys
maximum: 8192
minimum: 256
type: integer
keyType:
default: rsa
- description: KeyType specifies the SSH key type (rsa, ed25519)
+ description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
enum:
- rsa
+ - ecdsa
- ed25519
type: string
type: object
stsSessionTokenSpec:
description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
properties:
auth:
description: Auth defines how to authenticate with AWS
properties:
jwt:
@@ -3160,20 +3213,151 @@
type: string
namespace:
description: |-
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
+ vaultRole:
+ description: VaultRole specifies the Vault role to use for TLS certificate authentication.
+ type: string
+ type: object
+ gcp:
+ description: |-
+ Gcp authenticates with Vault using Google Cloud Platform authentication method
+ GCP authentication method
+ properties:
+ location:
+ description: Location optionally defines a location/region for the secret
+ type: string
+ path:
+ default: gcp
+ description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
+ type: string
+ projectID:
+ description: Project ID of the Google Cloud Platform project
+ type: string
+ role:
+ description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
+ type: string
+ secretRef:
+ description: Specify credentials in a Secret object
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ type: object
+ serviceAccountRef:
+ description: ServiceAccountRef to a service account for impersonation
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ workloadIdentity:
+ description: Specify a service account with Workload Identity
+ properties:
+ clusterLocation:
+ description: |-
+ ClusterLocation is the location of the cluster
+ If not specified, it fetches information from the metadata server
+ type: string
+ clusterName:
+ description: |-
+ ClusterName is the name of the cluster
+ If not specified, it fetches information from the metadata server
+ type: string
+ clusterProjectID:
+ description: |-
+ ClusterProjectID is the project ID of the cluster
+ If not specified, it fetches information from the metadata server
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountSelector is a reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ required:
+ - role
type: object
iam:
description: |-
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
AWS IAM authentication method
properties:
externalID:
description: AWS External ID set on assumed IAM roles
type: string
jwt:
@@ -3319,29 +3503,31 @@
kubernetesServiceAccountToken:
description: |-
Optional ServiceAccountToken specifies the Kubernetes service account for which to request
a token for with the `TokenRequest` API.
properties:
audiences:
description: |-
Optional audiences field that will be used to request a temporary Kubernetes service
account token for the service account referenced by `serviceAccountRef`.
Defaults to a single audience `vault` it not specified.
+
Deprecated: use serviceAccountRef.Audiences instead
items:
type: string
type: array
expirationSeconds:
description: |-
Optional expiration time in seconds that will be used to request a temporary
Kubernetes service account token for the service account referenced by
`serviceAccountRef`.
+
Deprecated: this will be removed in the future.
Defaults to 10 minutes.
format: int64
type: integer
serviceAccountRef:
description: Service account field containing the name of a kubernetes ServiceAccount.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
@@ -4178,29 +4364,169 @@
type: object
metadata:
description: |-
Metadata is metadata attached to the secret.
The structure of metadata is provider specific, please look it up in the provider documentation.
x-kubernetes-preserve-unknown-fields: true
required:
- match
type: object
type: array
+ dataTo:
+ description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
+ items:
+ description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
+ properties:
+ conversionStrategy:
+ default: None
+ description: Used to define a conversion Strategy for the secret keys
+ enum:
+ - None
+ - ReverseUnicode
+ type: string
+ match:
+ description: |-
+ Match pattern for selecting keys from the source Secret.
+ If not specified, all keys are selected.
+ properties:
+ regexp:
+ description: |-
+ Regexp matches keys by regular expression.
+ If not specified, all keys are matched.
+ type: string
+ type: object
+ metadata:
+ description: |-
+ Metadata is metadata attached to the secret.
+ The structure of metadata is provider specific, please look it up in the provider documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ remoteKey:
+ description: |-
+ RemoteKey is the name of the single provider secret that will receive ALL
+ matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
+ When set, per-key expansion is skipped and a single push is performed.
+ The provider's store prefix (if any) is still prepended to this value.
+ When not set, each matched key is pushed as its own individual provider secret.
+ type: string
+ rewrite:
+ description: |-
+ Rewrite operations to transform keys before pushing to the provider.
+ Operations are applied sequentially.
+ items:
+ description: PushSecretRewrite defines how to transform secret keys before pushing.
+ properties:
+ regexp:
+ description: Used to rewrite with regular expressions.
+ properties:
+ source:
+ description: Used to define the regular expression of a re.Compiler.
+ type: string
+ target:
+ description: Used to define the target pattern of a ReplaceAll operation.
+ type: string
+ required:
+ - source
+ - target
+ type: object
+ transform:
+ description: Used to apply string transformation on the secrets.
+ properties:
+ template:
+ description: |-
+ Used to define the template to apply on the secret name.
+ `.value ` will specify the secret name in the template.
+ type: string
+ required:
+ - template
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: exactly one of regexp or transform must be set
+ rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
+ type: array
+ storeRef:
+ description: StoreRef specifies which SecretStore to push to. Required.
+ properties:
+ kind:
+ default: SecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ enum:
+ - SecretStore
+ - ClusterSecretStore
+ type: string
+ labelSelector:
+ description: Optionally, sync to secret stores with label selector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: Optionally, sync to the SecretStore of the given name
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: storeRef must specify either name or labelSelector
+ rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
+ - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
+ rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
+ type: array
deletionPolicy:
default: None
description: Deletion Policy to handle Secrets in the provider.
enum:
- Delete
- None
type: string
refreshInterval:
- default: 1h
+ default: 1h0m0s
description: The Interval to which External Secrets will try to push a secret definition
type: string
secretStoreRefs:
items:
description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
properties:
kind:
default: SecretStore
description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum:
@@ -4470,25 +4796,25 @@
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
- name
type: object
target:
default: Data
- description: TemplateTarget specifies where the rendered templates should be applied.
- enum:
- - Data
- - Annotations
- - Labels
+ description: |-
+ Target specifies where to place the template result.
+ For Secret resources, common values are: "Data", "Annotations", "Labels".
+ For custom resources (when spec.target.manifest is set), this supports
+ nested paths like "spec.database.config" or "data".
type: string
type: object
type: array
type:
type: string
type: object
updatePolicy:
default: Replace
description: UpdatePolicy to handle Secrets in the provider.
enum:
@@ -4612,21 +4938,21 @@
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: SecretStoreSpec defines the desired state of SecretStore.
properties:
conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
items:
description: |-
ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
for a ClusterSecretStore instance.
properties:
namespaceRegexes:
description: Choose namespaces by using regex matching
items:
type: string
type: array
@@ -4906,110 +5232,20 @@
- ConfigMap
type: string
required:
- name
- type
type: object
required:
- akeylessGWApiURL
- authSecretRef
type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: AlibabaRRSAAuth authenticates against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
aws:
description: AWS configures this store to sync secrets using AWS Secret Manager provider
properties:
additionalRoles:
description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
items:
type: string
type: array
auth:
description: |-
@@ -5319,22 +5555,25 @@
Valid values are:
- "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
enum:
- ServicePrincipal
- ManagedIdentity
- WorkloadIdentity
type: string
customCloudConfig:
description: |-
- CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
+ CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
Required when EnvironmentType is AzureStackCloud.
+ Optional for other environment types - useful for Azure China when using Workload Identity
+ with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
+ standard China Cloud endpoint (login.chinacloudapi.cn).
IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
configuration is not supported with the legacy go-autorest SDK.
properties:
activeDirectoryEndpoint:
description: |-
ActiveDirectoryEndpoint is the AAD endpoint for authentication
Required when using custom cloud configuration
type: string
keyVaultDNSSuffix:
description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
@@ -5404,20 +5643,111 @@
description: |-
UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
type: boolean
vaultUrl:
description: Vault Url from which the secrets to be fetched from.
type: string
required:
- vaultUrl
type: object
+ barbican:
+ description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
+ properties:
+ auth:
+ description: BarbicanAuth contains the authentication information for Barbican.
+ properties:
+ password:
+ description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
+ properties:
+ secretRef:
+ description: |-
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - secretRef
+ type: object
+ username:
+ description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ secretRef:
+ description: |-
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ value:
+ type: string
+ type: object
+ required:
+ - password
+ - username
+ type: object
+ authURL:
+ type: string
+ domainName:
+ type: string
+ region:
+ type: string
+ tenantName:
+ type: string
+ required:
+ - auth
+ type: object
beyondtrust:
description: Beyondtrust configures this store to sync secrets using Password Safe provider.
properties:
auth:
description: Auth configures how the operator authenticates with Beyondtrust.
properties:
apiKey:
description: APIKey If not provided then ClientID/ClientSecret become required.
properties:
secretRef:
@@ -5586,20 +5916,24 @@
server:
description: Auth configures how API server works.
properties:
apiUrl:
type: string
apiVersion:
type: string
clientTimeOutSeconds:
description: Timeout specifies a time limit for requests made by this Client. The time
[Truncated: Diff output was too large]
|
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
5 times, most recently
from
8b316f0 to
4495364
Compare
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
6 times, most recently
from
93859bc to
240a5ad
Compare
pipelines-github-app
bot
changed the title
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
6 times, most recently
from
8152b64 to
60f1507
Compare
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
7 times, most recently
from
cbd3505 to
7e7b9d1
Compare
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
4 times, most recently
from
d718338 to
6806ab6
Compare
pipelines-github-app
bot
changed the title
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
7 times, most recently
from
029c77e to
0f371e5
Compare
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
7 times, most recently
from
381ce28 to
5d571d8
Compare
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
3 times, most recently
from
de67e77 to
c0e71be
Compare
pipelines-github-app
bot
changed the title
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
5 times, most recently
from
7e0400d to
78136ef
Compare
| datasource | package | from | to | | ---------- | ---------------- | ------ | ----- | | helm | external-secrets | 0.20.4 | 2.3.0 | Co-authored-by: renovate[bot] <renovate@whitesourcesoftware.com>
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
from
78136ef to
632412b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.20.4->2.3.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
external-secrets/external-secrets (external-secrets)
v2.3.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v2.3.0Image:
ghcr.io/external-secrets/external-secrets:v2.3.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.3.0-ubi-boringsslWhat's Changed
General
Dependencies
6ed9f6fto1fc04e8by @dependabot[bot] in #61191fc04e8to9e6e193by @dependabot[bot] in #6150New Contributors
Full Changelog: external-secrets/external-secrets@v2.2.0...v2.3.0
v2.2.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v2.2.0Image:
ghcr.io/external-secrets/external-secrets:v2.2.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringsslBreaking change
If you are using Flux + OCIRepository to fetch External Secrets Operator charts, please update your object to use a Layer selector:
What's Changed
General
Dependencies
28efbe9to47b2d72by @dependabot[bot] in #6088cecb1cdto6ed9f6fby @dependabot[bot] in #6087New Contributors
Full Changelog: external-secrets/external-secrets@v2.1.0...v2.2.0
v2.1.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v2.1.0Image:
ghcr.io/external-secrets/external-secrets:v2.1.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringsslWhat's Changed
General
Dependencies
b8923f5tocecb1cdby @dependabot[bot] in #5984ce70bcfto5e8dbf3by @dependabot[bot] in #6011972618cto28efbe9by @dependabot[bot] in #6008New Contributors
Full Changelog: external-secrets/external-secrets@v2.0.1...v2.1.0
v2.0.1Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v2.0.1Image:
ghcr.io/external-secrets/external-secrets:v2.0.1-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.0.1-ubi-boringsslBREAKING CHANGE
The sprig update is actually a breaking change. It turns out that some of the functions in templating changed with this update.
What's Changed
General
8cb06fe… by @tete17 in #5747Dependencies
20c8a94tof6751d8by @dependabot[bot] in #5940c8df11btob8923f5by @dependabot[bot] in #5939cd64becto972618cby @dependabot[bot] in #5941New Contributors
Full Changelog: external-secrets/external-secrets@v2.0.0...v2.0.1
v2.0.0Compare Source
BREAKING CHANGE
Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42.
Image:
ghcr.io/external-secrets/external-secrets:v2.0.0Image:
ghcr.io/external-secrets/external-secrets:v2.0.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringsslWhat's Changed
General
New Contributors
Full Changelog: external-secrets/external-secrets@v1.3.2...v2.0.0
v1.3.2Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.3.2Image:
ghcr.io/external-secrets/external-secrets:v1.3.2-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringsslWhat's Changed
General
Dependencies
22e9573to1f84f5cby @dependabot[bot] in #587193d5a27todcc3150by @dependabot[bot] in #5875d9b2e14to98e6cffby @dependabot[bot] in #5907865b95fto2510918in /hack/api-docs by @dependabot[bot] in #5914dcc3150toce70bcfby @dependabot[bot] in #59111f84f5ctoc8df11bby @dependabot[bot] in #5908865b95fto2510918by @dependabot[bot] in #5906New Contributors
Full Changelog: external-secrets/external-secrets@v1.3.1...v1.3.2
v1.3.1Compare Source
Image:
If you want to rebase/retry this PR, check this boxghcr.io/external-secrets/external-secrets:v1.3.1Image:
ghcr.io/external-secrets/external-secrets:v1.3.1-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringsslThis PR has been generated by Renovate Bot.