feat(helm)!: Update Chart external-secrets (0.20.4 → 2.0.0) #1216
+1
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pipelines-github-app
bot
added
app/external-secrets
Contributor
Author
--- main/external-secrets_gitops_manifests_external-secrets_genmachine_manifest_main.yaml 2026-02-12 04:53:59.504550842 +0000
+++ pr/external-secrets_gitops_manifests_external-secrets_genmachine_manifest_pr.yaml 2026-02-12 04:53:58.711550851 +0000
@@ -1,71 +1,71 @@
---
# Source: external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-cert-controller
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.0.0
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.0.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/charts/external-secrets/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.0.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.0.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-webhook
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.0.0
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.0.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/templates/clusterSecretStore.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: eso-auth
namespace: external-secrets
---
# Source: external-secrets/charts/external-secrets/templates/webhook-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: external-secrets-webhook
namespace: default
labels:
- helm.sh/chart: external-secrets-0.20.4
+ helm.sh/chart: external-secrets-2.0.0
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.20.4"
+ app.kubernetes.io/version: "v2.0.0"
app.kubernetes.io/managed-by: Helm
external-secrets.io/component: webhook
---
# Source: external-secrets/templates/clusterSecretStore.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: eso-auth
namespace: external-secrets
@@ -805,27 +805,27 @@
description: Name of the SecretStore resource
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
type: object
type: object
type: array
refreshInterval:
- default: 1h
+ default: 1h0m0s
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
specified as Golang Duration strings.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
+ Example values: "1h0m0s", "2h30m0s", "10m0s"
+ May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
type: string
refreshPolicy:
description: |-
RefreshPolicy determines how the ExternalSecret should be refreshed:
- CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
No periodic updates occur if refreshInterval is 0.
- OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum:
- CreatedOnce
@@ -875,20 +875,39 @@
DeletionPolicy defines rules on how to delete the resulting Secret.
Defaults to "Retain"
enum:
- Delete
- Merge
- Retain
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
+ manifest:
+ description: |-
+ Manifest defines a custom Kubernetes resource to create instead of a Secret.
+ When specified, ExternalSecret will create the resource type defined here
+ (e.g., ConfigMap, Custom Resource) instead of a Secret.
+ Warning: Using Generic target. Make sure access policies and encryption are properly configured.
+ properties:
+ apiVersion:
+ description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
+ minLength: 1
+ type: string
+ kind:
+ description: Kind of the target resource (e.g., "ConfigMap", "Application")
+ minLength: 1
+ type: string
+ required:
+ - apiVersion
+ - kind
+ type: object
name:
description: |-
The name of the Secret resource to be managed.
Defaults to the .metadata.name of the ExternalSecret resource
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
template:
description: Template defines a blueprint for the created Secret resource.
@@ -1002,25 +1021,25 @@
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
- name
type: object
target:
default: Data
- description: TemplateTarget specifies where the rendered templates should be applied.
- enum:
- - Data
- - Annotations
- - Labels
+ description: |-
+ Target specifies where to place the template result.
+ For Secret resources, common values are: "Data", "Annotations", "Labels".
+ For custom resources (when spec.target.manifest is set), this supports
+ nested paths like "spec.database.config" or "data".
type: string
type: object
type: array
type:
type: string
type: object
type: object
type: object
namespaceSelector:
description: |-
@@ -1546,27 +1565,27 @@
description: Name of the SecretStore resource
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
type: object
type: object
type: array
refreshInterval:
- default: 1h
+ default: 1h0m0s
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
specified as Golang Duration strings.
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
- Example values: "1h", "2h30m", "10s"
- May be set to zero to fetch and create it once. Defaults to 1h.
+ Example values: "1h0m0s", "2h30m0s", "10m0s"
+ May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
type: string
refreshPolicy:
description: |-
RefreshPolicy determines how the ExternalSecret should be refreshed:
- CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
- Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
No periodic updates occur if refreshInterval is 0.
- OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
enum:
- CreatedOnce
@@ -2751,20 +2770,28 @@
length:
default: 24
description: |-
Length of the password to be generated.
Defaults to 24
type: integer
noUpper:
default: false
description: Set NoUpper to disable uppercase characters
type: boolean
+ secretKeys:
+ description: |-
+ SecretKeys defines the keys that will be populated with generated passwords.
+ Defaults to "password" when not set.
+ items:
+ type: string
+ minItems: 1
+ type: array
symbolCharacters:
description: |-
SymbolCharacters specifies the special characters that should be used
in the generated password.
type: string
symbols:
description: |-
Symbols specifies the number of symbol characters in the generated
password. If omitted it defaults to 25% of the length of the password
type: integer
@@ -2815,31 +2842,33 @@
- serviceAccountRef
type: object
sshKeySpec:
description: SSHKeySpec controls the behavior of the ssh key generator.
properties:
comment:
description: Comment specifies an optional comment for the SSH key
type: string
keySize:
description: |-
- KeySize specifies the key size for RSA keys (default: 2048)
+ KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
For RSA keys: 2048, 3072, 4096
+ For ECDSA keys: 256, 384, 521
Ignored for ed25519 keys
maximum: 8192
minimum: 256
type: integer
keyType:
default: rsa
- description: KeyType specifies the SSH key type (rsa, ed25519)
+ description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
enum:
- rsa
+ - ecdsa
- ed25519
type: string
type: object
stsSessionTokenSpec:
description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
properties:
auth:
description: Auth defines how to authenticate with AWS
properties:
jwt:
@@ -3161,20 +3190,148 @@
namespace:
description: |-
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
type: object
+ gcp:
+ description: |-
+ Gcp authenticates with Vault using Google Cloud Platform authentication method
+ GCP authentication method
+ properties:
+ location:
+ description: Location optionally defines a location/region for the secret
+ type: string
+ path:
+ default: gcp
+ description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
+ type: string
+ projectID:
+ description: Project ID of the Google Cloud Platform project
+ type: string
+ role:
+ description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
+ type: string
+ secretRef:
+ description: Specify credentials in a Secret object
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ type: object
+ serviceAccountRef:
+ description: ServiceAccountRef to a service account for impersonation
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ workloadIdentity:
+ description: Specify a service account with Workload Identity
+ properties:
+ clusterLocation:
+ description: |-
+ ClusterLocation is the location of the cluster
+ If not specified, it fetches information from the metadata server
+ type: string
+ clusterName:
+ description: |-
+ ClusterName is the name of the cluster
+ If not specified, it fetches information from the metadata server
+ type: string
+ clusterProjectID:
+ description: |-
+ ClusterProjectID is the project ID of the cluster
+ If not specified, it fetches information from the metadata server
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountSelector is a reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ required:
+ - role
+ type: object
iam:
description: |-
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
AWS IAM authentication method
properties:
externalID:
description: AWS External ID set on assumed IAM roles
type: string
jwt:
description: Specify a service account with IRSA enabled
@@ -4186,21 +4343,21 @@
type: object
type: array
deletionPolicy:
default: None
description: Deletion Policy to handle Secrets in the provider.
enum:
- Delete
- None
type: string
refreshInterval:
- default: 1h
+ default: 1h0m0s
description: The Interval to which External Secrets will try to push a secret definition
type: string
secretStoreRefs:
items:
description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
properties:
kind:
default: SecretStore
description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
enum:
@@ -4470,25 +4627,25 @@
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
required:
- items
- name
type: object
target:
default: Data
- description: TemplateTarget specifies where the rendered templates should be applied.
- enum:
- - Data
- - Annotations
- - Labels
+ description: |-
+ Target specifies where to place the template result.
+ For Secret resources, common values are: "Data", "Annotations", "Labels".
+ For custom resources (when spec.target.manifest is set), this supports
+ nested paths like "spec.database.config" or "data".
type: string
type: object
type: array
type:
type: string
type: object
updatePolicy:
default: Replace
description: UpdatePolicy to handle Secrets in the provider.
enum:
@@ -4612,21 +4769,21 @@
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: SecretStoreSpec defines the desired state of SecretStore.
properties:
conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
items:
description: |-
ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
for a ClusterSecretStore instance.
properties:
namespaceRegexes:
description: Choose namespaces by using regex matching
items:
type: string
type: array
@@ -4906,110 +5063,20 @@
- ConfigMap
type: string
required:
- name
- type
type: object
required:
- akeylessGWApiURL
- authSecretRef
type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: AlibabaRRSAAuth authenticates against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
aws:
description: AWS configures this store to sync secrets using AWS Secret Manager provider
properties:
additionalRoles:
description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
items:
type: string
type: array
auth:
description: |-
@@ -5319,22 +5386,25 @@
Valid values are:
- "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
enum:
- ServicePrincipal
- ManagedIdentity
- WorkloadIdentity
type: string
customCloudConfig:
description: |-
- CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
+ CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
Required when EnvironmentType is AzureStackCloud.
+ Optional for other environment types - useful for Azure China when using Workload Identity
+ with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
+ standard China Cloud endpoint (login.chinacloudapi.cn).
IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
configuration is not supported with the legacy go-autorest SDK.
properties:
activeDirectoryEndpoint:
description: |-
ActiveDirectoryEndpoint is the AAD endpoint for authentication
Required when using custom cloud configuration
type: string
keyVaultDNSSuffix:
description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
@@ -5404,20 +5474,111 @@
description: |-
UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
type: boolean
vaultUrl:
description: Vault Url from which the secrets to be fetched from.
type: string
required:
- vaultUrl
type: object
+ barbican:
+ description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
+ properties:
+ auth:
+ description: BarbicanAuth contains the authentication information for Barbican.
+ properties:
+ password:
+ description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
+ properties:
+ secretRef:
+ description: |-
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - secretRef
+ type: object
+ username:
+ description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ secretRef:
+ description: |-
+ SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ value:
+ type: string
+ type: object
+ required:
+ - password
+ - username
+ type: object
+ authURL:
+ type: string
+ domainName:
+ type: string
+ region:
+ type: string
+ tenantName:
+ type: string
+ required:
+ - auth
+ type: object
beyondtrust:
description: Beyondtrust configures this store to sync secrets using Password Safe provider.
properties:
auth:
description: Auth configures how the operator authenticates with Beyondtrust.
properties:
apiKey:
description: APIKey If not provided then ClientID/ClientSecret become required.
properties:
secretRef:
@@ -5586,20 +5747,24 @@
server:
description: Auth configures how API server works.
properties:
apiUrl:
type: string
apiVersion:
type: string
clientTimeOutSeconds:
description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
type: integer
+ decrypt:
+ default: true
+ description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+ type: boolean
retrievalType:
description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
type: string
separator:
description: A character that separates the folder names.
type: string
verifyCA:
type: boolean
required:
- apiUrl
@@ -6109,74 +6274,73 @@
urlTemplate:
description: |-
URLTemplate
If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
type: string
required:
- clientId
- clientSecret
- tenant
type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
+ doppler:
+ description: Doppler configures this store to sync secrets using the Doppler provider
properties:
auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
+ description: Auth configures how the Operator authenticates with the Doppler API
properties:
- secretRef:
- description: Device42SecretRef contains the secret reference for accessing the Device42 instance.
+ oidcConfig:
+ description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
properties:
- credentials:
- description: Username / Password is used for authentication.
+ expirationSeconds:
+ default: 600
+ description: |-
+ ExpirationSeconds sets the ServiceAccount token validity duration.
+ Defaults to 10 minutes.
+ format: int64
+ type: integer
+ identity:
+ description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
+ type: string
+ serviceAccountRef:
+ description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
properties:
- key:
+ audiences:
description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
name:
- description: The name of the Secret resource being referred to.
+ description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
- The namespace of the Secret resource being referred to.
+ Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
+ required:
+ - name
type: object
+ required:
+ - identity
+ - serviceAccountRef
type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Doppler API
- properties:
secretRef:
- description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API.
+ description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
properties:
dopplerToken:
description: |-
The DopplerToken is used for authentication.
See https://docs.doppler.com/reference/api#authentication for auth token types.
The Key attribute defaults to dopplerToken if not specified.
properties:
key:
description: |-
A key in the referenced Secret.
@@ -6196,23 +6360,24 @@
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
required:
- dopplerToken
type: object
- required:
- - secretRef
type: object
+ x-kubernetes-validations:
+ - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
+ rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
config:
description: Doppler config (required if not using a Service Token)
type: string
format:
description: Format enables the downloading of secrets as a file (string)
enum:
- json
- dotnet-json
- env
- yaml
@@ -6227,20 +6392,101 @@
- tf-var
- dotnet-env
- lower-kebab
type: string
project:
description: Doppler project (required if not using a Service Token)
type: string
required:
- auth
type: object
+ dvls:
+ description: DVLS configures this store to sync secrets using Devolutions Server provider
+ properties:
+ auth:
+ description: Auth defines the authentication method to use.
+ properties:
+ secretRef:
+ description: SecretRef contains the Application ID and Application Secret for authentication.
+ properties:
+ appId:
+ description: AppID is the reference to the secret containing the Application ID.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ appSecret:
+ description: AppSecret is the reference to the secret containing the Application Secret.
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - appId
+ - appSecret
+ type: object
+ required:
+ - secretRef
+ type: object
+ insecure:
+ description: |-
+ Insecure allows connecting to DVLS over plain HTTP.
+ This is NOT RECOMMENDED for production use.
+ Set to true only if you understand the security implications.
+ type: boolean
+ serverUrl:
+ description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
+ type: string
+ required:
+ - auth
+ - serverUrl
+ type: object
fake:
description: Fake configures a store with static key/value pairs
properties:
data:
items:
description: FakeProviderData defines a key-value pair with optional version for the fake provider.
properties:
key:
type: string
value:
@@ -6505,21 +6751,21 @@
description: |-
SecretVersionSelectionPolicy specifies how the provider selects a secret version
when "latest" is disabled or destroyed.
Possible values are:
- LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
- LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
type: string
type: object
github:
description: |-
- Github configures this store to push GitHub Action secrets using GitHub API provider.
+ Github configures this store to push GitHub Actions secrets using the GitHub API provider.
Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
properties:
appID:
description: appID specifies the Github APP that will be used to authenticate the client
format: int64
type: integer
auth:
description: auth configures how secret-manager authenticates with a Github instance.
properties:
privateKey:
@@ -6695,20 +6941,23 @@
type: string
tokenLocation:
description: Location the token is mounted on the pod
type: string
required:
- profile
type: object
secretRef:
description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
properties:
+ iamEndpoint:
+ description: The IAM endpoint used to obain a token
+ type: string
secretApiKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
description: |-
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
maxLength: 253
minLength: 1
pattern: ^[-._a-zA-Z0-9]+$
@@ -7450,20 +7699,62 @@
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
required:
- clientId
- clientSecret
type: object
type: object
+ caBundle:
+ description: |-
+ CABundle is a PEM-encoded CA certificate bundle used to validate
+ the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
+ format: byte
+ type: string
+ caProvider:
+ description: |-
+ CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
+ The certificate is used to validate the Infisical server's TLS certificate.
+ Mutually exclusive with CABundle.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-z
[Truncated: Diff output was too large]
|
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
3 times, most recently
from
aa50dee to
0ede0b3
Compare
| datasource | package | from | to | | ---------- | ---------------- | ------ | ----- | | helm | external-secrets | 0.20.4 | 2.0.0 | Co-authored-by: renovate[bot] <renovate@whitesourcesoftware.com>
pipelines-github-app
bot
force-pushed
the
renovate/major-2-external-secrets-genmachine
branch
from
0ede0b3 to
8b316f0
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.20.4->2.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
external-secrets/external-secrets (external-secrets)
v2.0.0Compare Source
BREAKING CHANGE
Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42.
Image:
ghcr.io/external-secrets/external-secrets:v2.0.0Image:
ghcr.io/external-secrets/external-secrets:v2.0.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringsslWhat's Changed
General
New Contributors
Full Changelog: external-secrets/external-secrets@v1.3.2...v2.0.0
v1.3.2Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.3.2Image:
ghcr.io/external-secrets/external-secrets:v1.3.2-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringsslWhat's Changed
General
Dependencies
22e9573to1f84f5cby @dependabot[bot] in #587193d5a27todcc3150by @dependabot[bot] in #5875d9b2e14to98e6cffby @dependabot[bot] in #5907865b95fto2510918in /hack/api-docs by @dependabot[bot] in #5914dcc3150toce70bcfby @dependabot[bot] in #59111f84f5ctoc8df11bby @dependabot[bot] in #5908865b95fto2510918by @dependabot[bot] in #5906New Contributors
Full Changelog: external-secrets/external-secrets@v1.3.1...v1.3.2
v1.3.1Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.3.1Image:
ghcr.io/external-secrets/external-secrets:v1.3.1-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringsslFor a Full release please referre to https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0. This is a fix build for the docker publish flow.
What's Changed
General
Full Changelog: external-secrets/external-secrets@v1.3.0...v1.3.1
v1.2.1Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.2.1Image:
ghcr.io/external-secrets/external-secrets:v1.2.1-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.2.1-ubi-boringsslWhat's Changed
General
Dependencies
2611181toac09a5fby @dependabot[bot] in #575851183f2to865b95fin /hack/api-docs by @dependabot[bot] in #576551183f2to865b95fby @dependabot[bot] in #5756d4feb57to3816d30by @dependabot[bot] in #5757071811ato92e4d08by @dependabot[bot] in #5759New Contributors
Full Changelog: external-secrets/external-secrets@v1.2.0...v1.2.1
v1.2.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.2.0Image:
ghcr.io/external-secrets/external-secrets:v1.2.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.2.0-ubi-boringsslWhat's Changed
General
64dc681to release by @jakobmoellerdev in #5749Dependencies
dcd8128to75937d9by @dependabot[bot] in #565587bce11to4b2a093by @dependabot[bot] in #56922611181to2611181by @dependabot[bot] in #572175937d9tod4feb57by @dependabot[bot] in #57225117d68to09f53dein /e2e by @dependabot[bot] in #57294b7ce07to51183f2by @dependabot[bot] in #5694712b439to071811aby @dependabot[bot] in #5727New Contributors
Full Changelog: external-secrets/external-secrets@v1.1.1...v1.2.0
v1.1.1Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.1.1Image:
ghcr.io/external-secrets/external-secrets:v1.1.1-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.1.1-ubi-boringsslWhat's Changed
General
bitwardenServerSDKURLis required forbitwardensecretsmanagerby @budimanjojo in #5679Dependencies
d3f0cf7tod3f0cf7by @dependabot[bot] in #56307419f54toe174196in /e2e by @dependabot[bot] in #5638f2964c7to4a54c24by @dependabot[bot] in #56324c5fdabto712b439by @dependabot[bot] in #5659New Contributors
Full Changelog: external-secrets/external-secrets@v1.1.0...v1.1.1
v1.1.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.1.0Image:
ghcr.io/external-secrets/external-secrets:v1.1.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.1.0-ubi-boringsslWhat's Changed
!NOTE!: During last community meeting we discussed that we are retiring our scarf account. With that, we will be changing back to ghcr.io/external-secrets/external-secrets instead of oci.external-secrets.io/external-secrets/external-secrets.
For now, the old domain will live for a couple months to give people to change back. With this release , the values in the helm chart that define where the image is switched back to ghcr.
The helm-chart itself is served from under github-pages so that does not move.
General
Dependencies
0d00a56to2475ef7by @dependabot[bot] in #5562982f6f0to4c5fdabby @dependabot[bot] in #5566d3f0cf7tod3f0cf7by @dependabot[bot] in #5595dec374etodcd8128by @dependabot[bot] in #55942475ef7tof2964c7by @dependabot[bot] in #5597New Contributors
Full Changelog: external-secrets/external-secrets@v1.0.0...v1.1.0
v1.0.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v1.0.0Image:
ghcr.io/external-secrets/external-secrets:v1.0.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v1.0.0-ubi-boringsslWhat's Changed
General
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.