feat(helm): update chart external-secrets ( 0.10.7 → 0.12.1 )

[renovate]

This PR contains the following updates:

Package	Update	Change
external-secrets	minor	0.10.7 -> 0.12.1

---

Release Notes

external-secrets/external-secrets (external-secrets)

v0.12.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.12.1
Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi-boringssl

What's Changed

• chore(deps): bump ubi8/ubi from 7287624 to 37cdac4 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4245
• revert: softprops update failing the release process by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4248

Full Changelog: external-secrets/external-secrets@v0.12.0...v0.12.1

v0.11.0

Compare Source

Deprecation of OLM Releases

As of 0.11.0 is the last release available for OLM until further notice. Depending on the way this goes, we might still have OLM support (ideally with a properly built operator for that), but for sure in a different support scheme as to not overload maintainers anymore.
Also a valid note - you can still use 0.11.0 OLM release and the newest ESO images, you just need to set image.tag appropriately in your setup.

Kubernetes API load and significant decrease

A new way of reconciling external secrets has been added with pull request #​4086.

This significantly reduces the number of API calls that we make to the kubernetes API server.

1. Memory usage might increase if you are not already using --enable-secrets-caching
   1. If you are using --enable-secrets-caching and want to decrease memory usage at the expense of slightly higher API usage, you can disable it and only enable --enable-managed-secrets-caching (which is the new default)
2. In ALL cases (even when CreationPolicy is Merge), if a data key in the target Secret was created by the ExternalSecret, and it no longer exists in the template (or data/dataFrom), it will be removed from the target secret:
   1. This might cause some peoples secrets to be "cleaned of data keys" when updating to 0.11.
   2. Previously, the behaviour was undefined, and confusing because it was sort of broken when the template feature was added.
   3. The one exception is that ALL the data suddenly becomes empty and the DeletionPolicy is retain, in which case we will not even report and error, just change the SecretSynced message to explain that the secret was retained.
3. When CreationPolicy is Owner, we now will NEVER retain any keys and fully calculate the "desired state" of the target secret each loop:
   1. This means that some peoples secrets might have keys removed when updating to 0.11.

Generators and ClusterGenerator

We added ClusterGenerators and Generator caching as well. This might create some problems in the way generators are defined now.

CRD Admission Restrictions

All of the CRDs now have proper kubebuilder markers for validation. This might surprise someone leaving out some data that was essentially actually required or expected in a certain format. This is now validated in #​4104.

Images

Image: ghcr.io/external-secrets/external-secrets:v0.11.0
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi-boringssl

What's Changed

• chore: bump version v0.10.7 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4141
• feat: significantly reduce api calls and introduce partial secret cache by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4086
• chore(deps): bump mkdocs-material from 9.5.44 to 9.5.45 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4143
• chore(deps): bump tornado from 6.4.1 to 6.4.2 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4144
• chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4145
• chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4146
• chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4147
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4148
• fix: gitlab empty response by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4152
• feat: add ability to push expiration date to secret in azure key vault by @​deggja in https://github.com/external-secrets/external-secrets/pull/4149
• feat: implement a cluster-wide generator by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4140
• feat: Add API key auth support on BeyondTrust provider by @​dtejadav in https://github.com/external-secrets/external-secrets/pull/4101
• Add support for multiple Items fields in DelineSecretServer secrets by @​ronaldosaheki in https://github.com/external-secrets/external-secrets/pull/4051
• chore: deprecation policy and deprecating process by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4154
• fix: use cache when retrieving generators by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4153
• fix: e2e test for AWS not setting name and namespace by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4157
• fix: handle managed identity ClientID or ResourceID in acr generator by @​bonddim in https://github.com/external-secrets/external-secrets/pull/4150
• feat: add CRD validation for resource name/key fields by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4104
• fix: issues with generators by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4163

New Contributors

• @​thesuperzapper made their first contribution in https://github.com/external-secrets/external-secrets/pull/4086
• @​deggja made their first contribution in https://github.com/external-secrets/external-secrets/pull/4149
• @​dtejadav made their first contribution in https://github.com/external-secrets/external-secrets/pull/4101
• @​ronaldosaheki made their first contribution in https://github.com/external-secrets/external-secrets/pull/4051
• @​bonddim made their first contribution in https://github.com/external-secrets/external-secrets/pull/4150

Full Changelog: external-secrets/external-secrets@v0.10.7...v0.11.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[carpenike-bot]

--- kubernetes/cluster-0/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

+++ kubernetes/cluster-0/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

@@ -14,13 +14,13 @@

       chart: external-secrets
       interval: 30m
       sourceRef:
         kind: HelmRepository
         name: external-secrets
         namespace: flux-system
-      version: 0.10.7
+      version: 0.12.1
   interval: 30m
   values:
     certController:
       image:
         repository: ghcr.io/external-secrets/external-secrets
       serviceMonitor:

[carpenike-bot]

--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-controller

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-controller

@@ -43,17 +43,20 @@

   - update
   - patch
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - passwords
+  - stssessiontokens
+  - uuids
   - vaultdynamicsecrets
   - webhooks
   verbs:
   - get
   - list
   - watch
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-view

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-view

@@ -23,12 +23,13 @@

   - watch
   - list
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - passwords
   - vaultdynamicsecrets
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-edit

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-edit

@@ -24,12 +24,13 @@

   - patch
   - update
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - passwords
   - vaultdynamicsecrets
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.10.7
+        image: ghcr.io/external-secrets/external-secrets:v0.12.1
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=security
--- HelmRelease: security/external-secrets Deployment: security/external-secrets

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.10.7
+        image: ghcr.io/external-secrets/external-secrets:v0.12.1
         imagePullPolicy: IfNotPresent
         args:
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
         - --zap-time-encoding=epoch
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.10.7
+        image: ghcr.io/external-secrets/external-secrets:v0.12.1
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.security.svc
         - --cert-dir=/tmp/certs

[carpenike-bot]

🦙 MegaLinter status: ❌ ERROR

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
❌ COPYPASTE	jscpd	yes		2	1.15s
✅ REPOSITORY	git_diff	yes		no	0.06s
✅ REPOSITORY	secretlint	yes		no	3.46s
⚠️ YAML	prettier	1		1	0.35s
❌ YAML	yamllint	1		1	0.34s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by