chore(deps): update helm charts

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
argo-cd	helm_release	minor	9.4.17 → 9.5.9
cert-manager (source)	helm_release	patch	v1.20.1 → v1.20.2
cilium (source)	helm_release	patch	1.19.2 → 1.19.3
crossplane (source)		patch	2.2.0 → 2.2.1
csi-driver-nfs	helm_release	patch	4.13.1 → 4.13.2
external-secrets	helm_release	minor	2.2.0 → 2.4.1

---

Release Notes

argoproj/argo-helm (argo-cd)

v9.5.9

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• fix(argo-cd): fixed service port issue with applicationset webhook httproute by @​dromadaire54 in #​3862

Full Changelog: argoproj/argo-helm@argo-cd-9.5.8...argo-cd-9.5.9

v9.5.8

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• chore(deps): update renovatebot/github-action action to v46.1.12 by @​argoproj-renovate[bot] in #​3861
• fix(argo-cd): support empty matches in GRPCRoute and HTTPRoute rules by @​yurrriq in #​3604

Full Changelog: argoproj/argo-helm@argo-cd-9.5.7...argo-cd-9.5.8

v9.5.7

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• feat(argo-cd): Make PrometheusRule API version field overridable like it is in ServiceMonitor manifests. by @​rurod in #​3857

New Contributors

• @​rurod made their first contribution in #​3857

Full Changelog: argoproj/argo-helm@argo-cd-9.5.6...argo-cd-9.5.7

v9.5.6

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• feat(argo-cd): adding httproute support to applicationset webhook by @​dromadaire54 in #​3859

New Contributors

• @​dromadaire54 made their first contribution in #​3859

Full Changelog: argoproj/argo-helm@argo-cd-9.5.5...argo-cd-9.5.6

v9.5.5

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• ci(github): add draft PR lifecycle workflows by @​jmeridth in #​3794
• fix(github): skip draft lifecycle workflows for bot-authored PRs by @​jmeridth in #​3851
• fix(github): correct renovate bot actor name in draft lifecycle workflows by @​jmeridth in #​3855
• chore(deps): update renovatebot/github-action action to v46.1.11 by @​argoproj-renovate[bot] in #​3854
• fix(argo-cd): fix ArgoAppNotSynced PrometheusRule annotation template syntax by @​vrivellino in #​3853

New Contributors

• @​vrivellino made their first contribution in #​3853

Full Changelog: argoproj/argo-helm@argo-workflows-1.0.13...argo-cd-9.5.5

v9.5.4

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• chore(argo-cd): Change order of source URL by @​nebula-it in #​3837

New Contributors

• @​nebula-it made their first contribution in #​3837

Full Changelog: argoproj/argo-helm@argo-cd-9.5.3...argo-cd-9.5.4

v9.5.3

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• chore(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in #​3838
• chore(deps): update renovatebot/github-action action to v46.1.10 by @​argoproj-renovate[bot] in #​3839
• chore(argo-cd): Update dependency argoproj/argo-cd to v3.3.8 by @​argoproj-renovate[bot] in #​3841

Full Changelog: argoproj/argo-helm@argo-cd-9.5.2...argo-cd-9.5.3

v9.5.2

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• chore(argo-cd): Update dependency argoproj/argo-cd to v3.3.7 by @​argoproj-renovate[bot] in #​3836

Full Changelog: argoproj/argo-helm@argo-cd-9.5.1...argo-cd-9.5.2

v9.5.1

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• feat(argo-cd): add repoServer.copyutil.extraArgs with default '--update=none' to support overriding by @​anandrkskd in #​3835

New Contributors

• @​anandrkskd made their first contribution in #​3835

Full Changelog: argoproj/argo-helm@argo-workflows-1.0.10...argo-cd-9.5.1

v9.5.0

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• feat(argo-cd): add VPA support for all components by @​rd-michel in #​3817

New Contributors

• @​rd-michel made their first contribution in #​3817

Full Changelog: argoproj/argo-helm@argo-cd-9.4.18...argo-cd-9.5.0

v9.4.18

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• chore(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in #​3819
• chore(deps): update renovatebot/github-action action to v46.1.8 by @​argoproj-renovate[bot] in #​3820
• chore(argo-cd): Update quay.io/argoprojlabs/argocd-extension-installer Docker tag to v1 by @​argoproj-renovate[bot] in #​3825

Full Changelog: argoproj/argo-helm@argo-workflows-1.0.7...argo-cd-9.4.18

cert-manager/cert-manager (cert-manager)

v1.20.2

Compare Source

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config
and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies
to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#​8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#​8704, @​erikgb)
• Bump go to 1.26.2 (#​8703, @​erikgb)

cilium/cilium (cilium)

v1.19.3: 1.19.3

Compare Source

Summary of Changes

Minor Changes:

• Fix performance bug in L7 policy proxy redirect handling (Backport PR #​44828, Upstream PR #​44613, @​fristonio)
• Fixes issue where the Cilium agent fails to initialise when using KVStore identity mode with etcd behind a K8s Service (Backport PR #​44828, Upstream PR #​44653, @​41ks)
• helm,docs: add configDriftDetection Helm values and documentation (Backport PR #​44974, Upstream PR #​44703, @​PhilipSchmid)

Bugfixes:

• [v1.19] Fix incorrect policy service selector handling (#​44888, @​fristonio)
• bgp: Fix potential race in service advertisements upon error retry (Backport PR #​45211, Upstream PR #​45049, @​rastislavs)
• clustermesh: fix a bug in the MCS-API CRD installl that could attempt a CRD downgrade when the version label is higher (Backport PR #​44828, Upstream PR #​44738, @​MrFreezeex)
• ctmap: Change order of active maps (Backport PR #​44828, Upstream PR #​44729, @​brb)
• Ensure completion.WaitGroup always has a timeout (Backport PR #​45217, Upstream PR #​44731, @​jrajahalme)
• envoy: Fix xds server npds listeners accounting (Backport PR #​45217, Upstream PR #​44830, @​fristonio)
• Fix a slow memory leak triggered by incremental policy updates (Backport PR #​44994, Upstream PR #​44328, @​odinuge)
• Fix endpoints for static pods stuck in init identity (Backport PR #​45211, Upstream PR #​45016, @​aaroniscode)
• Fix in-cluster NodePort connectivity failure in DSR mode when SocketLB is disabled. When a pod accesses a NodePort service via a remote node's IP (instead of the ClusterIP) and the selected backend resides on the same node as the client, the connection fails due to missing reverse NAT on the reply path. (Backport PR #​44968, Upstream PR #​41963, @​gyutaeb)
• Fix memory leak triggered by policies being created and deleted (Backport PR #​44828, Upstream PR #​44724, @​odinuge)
• Fix panic in Hubble Relay when new peer address is unresolvable (Backport PR #​45211, Upstream PR #​45021, @​pesarkhobeee)
• fix(datapath): ignore link-local IPv6 addresses for NodePort binding (Backport PR #​44974, Upstream PR #​44778, @​Bigdelle)
• Fixed a bug in dual-stack cluster-pool IPAM where an operator restart with a pre-existing duplicate IPv6 PodCIDR could cause the affected node's IPv4 PodCIDR to be incorrectly freed and reassigned to another node. (Backport PR #​44866, Upstream PR #​44832, @​christarazi)
• Fixed an issue where policy update ack is never completed after endpoint deletion. (Backport PR #​44818, Upstream PR #​44754, @​jrajahalme)
• Fixed ipcache identity update hang when last proxy listener is removed. (Backport PR #​45217, Upstream PR #​44597, @​jrajahalme)
• Fixes GRPCRoute being silently excluded from Envoy config when a Gateway listener explicitly sets allowedRoutes.kinds. (Backport PR #​44974, Upstream PR #​44826, @​eufriction)
• Fixes increased CPU usage in hubble observe caused by log coloring feature, even when coloring was disabled (Backport PR #​44828, Upstream PR #​44119, @​tporeba)
• lb: fix panic in orphan backend cleanup when addr is zero-value (Backport PR #​44994, Upstream PR #​44853, @​vipul-21)
• lb: Skip nil slots during BPF map restore to prevent panic (Backport PR #​44974, Upstream PR #​44895, @​vipul-21)
• operator/identitygc: fix nil pointer dereference on shutdown (Backport PR #​45211, Upstream PR #​45091, @​tsotne95)
• wal: Do not truncate in NewWriter (Backport PR #​44974, Upstream PR #​44886, @​joamaki)
• WireGuard now respects the underlay-protocol=ipv6 setting when selecting peer endpoints in dual-stack clusters with IPv6 underlay, fixing connectivity issues where IPv4 was incorrectly used despite being unreachable across nodes. (Backport PR #​45247, Upstream PR #​44629, @​tibrezus)

CI Changes:

• .github/workflows: disable cache for go steps (Backport PR #​45211, Upstream PR #​45073, @​aanm)
• .github/workflows: replace external set-commit-status action (Backport PR #​45211, Upstream PR #​45078, @​aanm)
• .github: cleanup disk before ci-verifier tests (Backport PR #​44994, Upstream PR #​44971, @​aanm)
• allocator: handle unlikely goroutine leak (Backport PR #​44828, Upstream PR #​44589, @​asauber)
• ci: add fail-fast false to ci image builds (Backport PR #​45211, Upstream PR #​45079, @​Artyop)
• ci: fix is-workflow-call check to handle empty input (Backport PR #​45052, Upstream PR #​45020, @​aanm)
• ci: fix PR branch pull step on stable pushes (Backport PR #​45052, Upstream PR #​45019, @​Artyop)
• ci: fix pr number check for base branch retrieval (Backport PR #​45052, Upstream PR #​45024, @​Artyop)
• ci: set TMPDIR=/host/tmp in datapath verifier tests (Backport PR #​45211, Upstream PR #​45047, @​aanm)
• ci: Switch catchpoint/workflow-telemetry-action to our fork (#​45219, @​YutaroHayakawa)
• Fix some test-e2e-upgrade issues (Backport PR #​45211, Upstream PR #​45075, @​aanm)
• fix: escape $ character in regex to prevent injection (Backport PR #​44828, Upstream PR #​44638, @​peoyekunle)
• fix: harden k8s apiserver endpoint access (Backport PR #​44994, Upstream PR #​44863, @​sekhar-isovalent)
• sockets: Ensure bpffs is mounted in TestPrivilegedSocketDestroyers (Backport PR #​45052, Upstream PR #​44979, @​christarazi)

Misc Changes:

• .github/workflows: do not use deployments for environments (Backport PR #​45211, Upstream PR #​44908, @​aanm)
• [v1.19] vendor: update google.golang.org/grpc to v1.79.3 (#​45345, @​aanm)
• bgp: Disable MPTCP in the MD5 probing in the test (Backport PR #​45211, Upstream PR #​45102, @​YutaroHayakawa)
• bgp: Introduce --with-attrs option to bgp/routes (Backport PR #​45211, Upstream PR #​45015, @​YutaroHayakawa)
• bpf: lxc: limit NAT buffer lookup to per-packet LB (Backport PR #​44968, Upstream PR #​44387, @​julianwiedmann)
• bpf: Reduce scope of large variables (Backport PR #​45211, Upstream PR #​45067, @​pchaigno)
• bpf: Use global function for snat_v6_needs_masquerade (Backport PR #​44828, Upstream PR #​44544, @​pchaigno)
• bpf_lxc: improve per-packet LB for NodePort services (Backport PR #​44968, Upstream PR #​44710, @​saiaunghlyanhtet)
• chore(deps): update all github action dependencies (v1.19) (#​44934, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45038, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45169, @​cilium-renovate[bot])
• chore(deps): update all github action dependencies (v1.19) (#​45304, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​44674, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45039, @​cilium-renovate[bot])
• chore(deps): update all-dependencies (v1.19) (#​45305, @​cilium-renovate[bot])
• chore(deps): update base-images (v1.19) (#​44786, @​cilium-renovate[bot])
• chore(deps): update base-images to v1.25.9 (v1.19) (#​45273, @​cilium-renovate[bot])
• chore(deps): update dependency bufbuild/buf to v1.67.0 (v1.19) (#​45167, @​cilium-renovate[bot])
• chore(deps): update dependency cilium/little-vm-helper to v0.0.29 (v1.19) (#​45280, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/busybox:1.37.0 docker digest to 1487d0a (v1.19) (#​45035, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/golang:1.25.9 docker digest to a95d3d1 (v1.19) (#​45315, @​cilium-renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.9 (v1.19) (#​44929, @​cilium-renovate[bot])
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (v1.19) (#​45149, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260320123815-c9b9b51b278a (v1.19) (#​44930, @​cilium-renovate[bot])
• chore(deps): update module sigs.k8s.io/kube-api-linter to v0.0.0-20260408163332-73b2175ca510 (v1.19) (#​45302, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1773729248-8de84653be3b2b3011e1cee5b3e702f6556fb3df (v1.19) (#​44931, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.35.9-1774363526-9d47d40f80df306891816788b71415813ce49ef3 (v1.19) (#​45036, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.5-1775137579-2b3493aca96923190423ccec7e4dbc5f074ccad4 (v1.19) (#​45168, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1775912317-d56e4f5fec87556b7aaf3b8edeb100025ec87183 (v1.19) (#​45303, @​cilium-renovate[bot])
• chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.36.6-1776000132-2437d2edeaf4d9b56ef279bd0d71127440c067aa (v1.19) (#​45320, @​cilium-renovate[bot])
• chore(deps): update quay.io/goswagger/swagger docker tag to v0.33.2 (v1.19) (#​44932, @​cilium-renovate[bot])
• chore(deps): update stable lvh-images (v1.19) (patch) (#​45037, @​cilium-renovate[bot])
• docs: document reverse_sk map exhaustion impact on socket termination (Backport PR #​44860, Upstream PR #​44835, @​ysksuzuki)
• docs: Update sphinx theme to v3.1.0 (Backport PR #​45335, Upstream PR #​45289, @​joestringer)
• Fix EKS workflows misc errors (Backport PR #​45052, Upstream PR #​45023, @​aanm)
• fix(deps): update k8s.io patch updates stable to v0.35.3 (v1.19) (patch) (#​44933, @​cilium-renovate[bot])
• fix(deps): update k8s.io/utils digest to 28399d8 (v1.19) (#​44928, @​cilium-renovate[bot])
• fix(deps): update sigs.k8s.io/mcs-api/controllers digest to 4b9911b (v1.19) (#​45177, @​cilium-renovate[bot])
• fix: using a local action needs checkout in eks-cluster-delete (Backport PR #​44994, Upstream PR #​44890, @​sekhar-isovalent)
• helm: Use bash instead of sh in init containers for Ubuntu 24.04 compatibility (Backport PR #​44828, Upstream PR #​44615, @​shivdesh)
• Probe support for BIG TCP for tunnels instead of relying on the config option. (Backport PR #​45211, Upstream PR #​43959, @​gentoo-root)

Other Changes:

• [v1.19] deps: bump cni plugins to v1.9.1 (#​45240, @​ferozsalam)
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.6.10 (v1.19) (#​45166, @​cilium-renovate[bot])
• install: Update image digests for v1.19.2 (#​44957, @​cilium-release-bot[bot])
• loadbalancer: Fix issue in resynchronization of state from api-server which may have left stale backends around until an updated EndpointSlice was received (#​45198, @​joamaki)

Docker Manifests

cilium

quay.io/cilium/cilium:v1.19.3@​sha256:2e61680593cddca8b6c055f6d4c849d87a26a1c91c7e3b8b56c7fb76ab7b7b10

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.19.3@​sha256:a8136a7615d6c6041d3aa6f2674d17beaec238170d669507ccc05328a778e2b7

docker-plugin

quay.io/cilium/docker-plugin:v1.19.3@​sha256:728c3903518b0b6904e7208143355b38b7e6de3b514694fb6098b25bb9457397

hubble-relay

quay.io/cilium/hubble-relay:v1.19.3@​sha256:5ee21d57b6ef2aa6db67e603a735fdceb162454b352b7335b651456e308f681b

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.19.3@​sha256:176321a65123373ff8c7823b25183102cbad98375e8d6c80b96d68b6e8491103

operator-aws

quay.io/cilium/operator-aws:v1.19.3@​sha256:a53dcbfb77282bf2ddd3abbe60f6d49762e7c1389a36cb35b71d504644a56640

operator-azure

quay.io/cilium/operator-azure:v1.19.3@​sha256:699c1571a3df1a98882ee13610d47cffb7b34ee7e8d276096db798a5f6c7e4cb

operator-generic

quay.io/cilium/operator-generic:v1.19.3@​sha256:205b09b0ed6accbf9fe688d312a9f0fcfc6a316fc081c23fbffb472af5dd62cd

operator

quay.io/cilium/operator:v1.19.3@​sha256:9075e6944996227574762ec0118caab0145d6e67f821409c4a6756b6b6caf6ea

crossplane/crossplane (crossplane)

v2.2.1

Compare Source

v2.2.1 is a patch release scoped to fixing issues reported by users of Crossplane v2.2 and fixing security related issues in Crossplane's dependencies.

🎉 Highlights

• Dependency upgrades work correctly with ImageConfig prefix rewriting: Packages installed via an ImageConfig prefix rewrite were previously not being upgraded when their dependencies changed, leaving users stuck on stale versions of dependent packages. Dependency upgrades now behave as expected when prefix rewrites are in use. Backported in #​7277, originally fixed in #​7233.

• Composition functions can now select all resources of a given kind: When a composition function returned a Requirements.ResourceSelector with only apiVersion and kind set (no matchName or matchLabels), Crossplane previously rejected this as an invalid request. A selector with no match field is now correctly interpreted as "all resources of that kind". Backported in #​7247, originally fixed in #​7241.

This release also bumps Go to 1.25.9 and pulls in security related updates for a number of Crossplane's upstream dependencies, including cosign, go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OpenTelemetry OTLP HTTP trace exporter

What's Changed

• [Backport release-2.2] build: mitigate potential script injection in promote workflow by @​github-actions[bot] in #​7168
• [Backport release-2.2] fix: adding required permissions to top level and jobs in the workflow by @​github-actions[bot] in #​7175
• chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7182
• [Backport release-2.2] ci: drop Trivy vulnerability scanning by @​github-actions[bot] in #​7238
• chore(deps): update module go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp to v1.43.0 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7290
• chore(deps): update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7266
• fix(deps): update module github.com/sigstore/cosign/v3 to v3.0.5 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7184
• fix(deps): update module github.com/go-git/go-git/v5 to v5.17.1 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7183
• chore(deps): update module github.com/docker/cli to v29.2.0+incompatible [security] (release-2.2) - autoclosed by @​crossplane-renovate[bot] in #​7197
• chore(deps): bump Go to 1.25.9 [security] (release-2.2) by @​phisco in #​7307
• [Backport release-2.2] pkg: Correctly handle dependency upgrades with ImageConfig prefix rewriting by @​github-actions[bot] in #​7277
• chore(deps): update module github.com/moby/spdystream to v0.5.1 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7319
• chore(deps): update module github.com/sigstore/timestamp-authority/v2 to v2.0.6 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7320
• [Backport release-2.2] Fix nix lint errors by @​github-actions[bot] in #​7322
• Backport #​7323 to release-2.2 by @​adamwg in #​7324
• [Backport release-2.2] Support ResourceSelector with no match field by @​github-actions[bot] in #​7247
• fix(deps): update module github.com/go-git/go-git/v5 to v5.18.0 [security] (release-2.2) by @​crossplane-renovate[bot] in #​7329
• Bump crossplane-runtime to v2.2.1 by @​lsviben in #​7333

Full Changelog: crossplane/crossplane@v2.2.0...v2.2.1

external-secrets/external-secrets (external-secrets)

v2.4.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.4.1
Image: ghcr.io/external-secrets/external-secrets:v2.4.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.4.1-ubi-boringssl

What's Changed

General

• chore: release chart for v2.4.0 by @​Skarlso in #​6277
• feat(gcp): support multiple replicationLocations on PushSecret by @​alliasgher in #​6225
• feat(passbolt): add custom CA bundle / CA provider support by @​alliasgher in #​6224
• feat(azure): add contentType support for PushSecret by @​ppatel1604 in #​6249
• feat(charts): add liveness probes to cert-controller and webhook by @​mattcarp12 in #​6147
• fix: prevent creation of specific type of secrets by @​Skarlso in #​6280

Dependencies

• chore(deps): bump golang from f853308 to f853308 by @​dependabot[bot] in #​6282
• chore(deps): bump alpine from 2510918 to 5b10f43 in /hack/api-docs by @​dependabot[bot] in #​6285
• chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 by @​dependabot[bot] in #​6283
• chore(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 by @​dependabot[bot] in #​6284
• chore(deps): bump ubi9/ubi from cf13fe2 to fd3612e by @​dependabot[bot] in #​6281

Full Changelog: external-secrets/external-secrets@v2.4.0...v2.4.1

v2.4.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.4.0
Image: ghcr.io/external-secrets/external-secrets:v2.4.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.4.0-ubi-boringssl

What's Changed

General

• chore: release helm chart for v2.3.0 by @​Skarlso in #​6204
• fix(docs): hide Scarf tracking pixel to remove page whitespace by @​ppatel1604 in #​6209
• docs: Add Grafana generator documentation by @​jaruwat-panturat in #​6227
• docs: add TLS certificate authentication example for Vault provider by @​alliasgher in #​6212
• docs(cloudsmith): Improve cloudsmith generator documentation by @​cloudsmith-iduffy in #​6232
• docs: add missing specs to GeneratorSpec example by @​jaruwat-panturat in #​6236
• feat(keeper): implement get secret by id or name by @​tiberiuv in #​6163
• chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by @​DelineaSahilWankhede in #​6240
• docs(release): update documentation links from /main to /latest by @​cinpol in #​6210
• fix: CAProvider cm access by @​moolen in #​6246
• fix(chart): add failurePolicy to ClusterSecretStore webhook by @​ryanjwong in #​6247
• feat(dvls): add name support for entries by @​rbstp in #​6099
• fix(akeyless): upgrade akeyless-go-cloud-id to v0.3.7 by @​alikdolg in #​6248
• chore(deps): bump azure/setup-helm from 3.5 to 5 by @​dependabot[bot] in #​6258
• fix: do not set tags if undefined by @​Skarlso in #​6103
• fix(conjur): return error for unimplemented PushSecret and DeleteSecret by @​antonio-mazzini in #​6266
• docs: Enhance ClusterExternalSecret documentation with "fan-out" approach by @​jaruwat-panturat in #​6241
• feat: add --leader-election-id flag to support HA deployments by @​mattcarp12 in #​6148
• feat(bug): Fix CVE-2026-34165, CVE-2026-33762 and GHSA-3xc5-wrhm-f963 by @​othomann in #​6271
• feat: enhance VaultDynamicSecret GET method to support parameters from the spec by @​samm-git in #​6267
• fix: use a separate parameter for GET calls in VaultDynamicSecrets by @​Skarlso in #​6275

Dependencies

• chore(deps): bump golang from c2a1f7b to c2a1f7b by @​dependabot[bot] in #​6214
• chore(deps): bump platformdirs from 4.9.4 to 4.9.6 in /hack/api-docs by @​dependabot[bot] in #​6219
• chore(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in #​6216
• chore(deps): bump codelytv/pr-size-labeler from 1.10.3 to 1.10.4 by @​dependabot[bot] in #​6221
• chore(deps): bump ubi9/ubi from 9e6e193 to 039095f by @​dependabot[bot] in #​6213
• chore(deps): bump importlib-resources from 6.5.2 to 7.1.0 in /hack/api-docs by @​dependabot[bot] in #​6220
• chore(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​6215
• chore(deps): bump step-security/harden-runner from 2.16.1 to 2.17.0 by @​dependabot[bot] in #​6217
• chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​6218
• chore(deps): bump azure/setup-helm from 3.4 to 3.5 by @​dependabot[bot] in #​6222
• chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @​dependabot[bot] in #​6223
• chore(deps): bump golang from c2a1f7b to f853308 by @​dependabot[bot] in #​6252
• chore(deps): bump alpine from 3.23.3 to 3.23.4 in /e2e by @​dependabot[bot] in #​6261
• chore(deps): bump step-security/harden-runner from 2.17.0 to 2.19.0 by @​dependabot[bot] in #​6254
• chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 by @​dependabot[bot] in #​6257
• chore(deps): bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​6259
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​6255
• chore(deps): bump packaging from 26.0 to 26.1 in /hack/api-docs by @​dependabot[bot] in #​6263
• chore(deps): bump zipp from 3.23.0 to 3.23.1 in /hack/api-docs by @​dependabot[bot] in #​6262
• chore(deps): bump alpine from 2510918 to 5b10f43 by @​dependabot[bot] in #​6251
• chore(deps): bump ubi9/ubi from 039095f to cf13fe2 by @​dependabot[bot] in #​6253
• chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 by @​dependabot[bot] in #​6260
• chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @​dependabot[bot] in #​6256

New Contributors

• @​alliasgher made their first contribution in #​6212
• @​tiberiuv made their first contribution in [#​6163](https://redirect.github.com/external-secr

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Terraform Plan (03-services)

→ Resource Changes: 0 to create, 5 to update, 0 to re-create, 0 to delete, 0 ephemeral.

♻️ Update

helm_release.argocd

! id                         = "argocd" -> (known after apply)
! metadata                   = {
!     app_version    = "v3.3.6" -> (known after apply)
!     chart          = "argo-cd" -> (known after apply)
!     first_deployed = 1770562152 -> (known after apply)
!     last_deployed  = 1775345187 -> (known after apply)
!     name           = "argocd" -> (known after apply)
!     namespace      = "argocd" -> (known after apply)
!     notes          = <<-EOT
          In order to access the server UI you have the following options:
          
          1. kubectl port-forward service/argocd-server -n argocd 8080:443
          
              and then open the browser on http://localhost:8080 and accept the certificate
          
          2. enable ingress in the values file `server.ingress.enabled` and either
                - Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
                - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
          
          
          After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
          
          kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
          
          (You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
      EOT -> (known after apply)
!     revision       = 6 -> (known after apply)
!     values         = jsonencode(
          {
            - applicationSet = {
                - enabled = true
              }
            - configs        = {
                - cm     = {
                    - "oidc.config" = <<-EOT
                          "clientID": "argocd"
                          "clientSecret": "$oidc.authentik.clientSecret"
                          "issuer": "https://auth.lippok.dev/application/o/argocd/"
                          "name": "Authentik"
                          "requestedScopes":
                          - "openid"
                          - "profile"
                          - "email"
                          - "groups"
                      EOT
                    - url           = "https://argocd.lippok.dev"
                  }
                - params = {
                    - "server.insecure" = "true"
                  }
                - rbac   = {
                    - "policy.csv"     = "g, authentik Admins, role:admin"
                    - "policy.default" = "role:readonly"
                    - scopes           = "[groups]"
                  }
              }
            - global         = {
                - logging = {
                    - level = "warn"
                  }
              }
            - notifications  = {
                - enabled       = true
                - notifiers     = {
                    - "service.webhook.discord" = <<-EOT
                          url: $discord-webhook
                      EOT
                    - "service.webhook.github"  = <<-EOT
                          url: https://api.github.com
                          headers:
                            - name: Authorization
                              value: "token $github-token"
                            - name: Content-Type
                              value: application/json
                      EOT
                  }
                - secret        = {
                    - create = false
                  }
                - subscriptions = [
                    - {
                        - recipients = [
                            - "github",
                          ]
                        - triggers   = [
                            - "on-sync-running",
                            - "on-sync-succeeded",
                            - "on-sync-failed",
                            - "on-health-degraded",
                          ]
                      },
                    - {
                        - recipients = [
                            - "discord",
                          ]
                        - triggers   = [
                            - "on-app-failed",
                          ]
                      },
                  ]
                - templates     = {
                    - "template.discord-alert"        = <<-EOT
                          webhook:
                            discord:
                              method: POST
                              path: /
                              body: |
                                {
                                  "content": "**ArgoCD** `{{.app.metadata.name}}` — {{if eq .app.status.operationState.phase "Error"}}Sync error: {{.app.status.operationState.message}}{{else if eq .app.status.operationState.phase "Failed"}}Sync failed: {{.app.status.operationState.message}}{{else}}Health degraded ({{.app.status.health.status}}){{end}}\n<https://argocd.lippok.dev/applications/{{.app.metadata.name}}>"
                                }
                      EOT
                    - "template.github-commit-status" = <<-EOT
                          webhook:
                            github:
                              method: POST
                              path: /repos/{{call .repo.FullNameByRepoURL .app.spec.source.repoURL}}/statuses/{{.app.status.operationState.operation.sync.revision}}
                              body: |
                                {
                                  "state": "{{if eq .app.status.operationState.phase "Running"}}pending{{else if and (eq .app.status.operationState.phase "Succeeded") (eq .app.status.health.status "Healthy")}}success{{else}}failure{{end}}",
                                  "description": "{{if eq .app.status.operationState.phase "Running"}}Syncing…{{else if and (eq .app.status.operationState.phase "Succeeded") (eq .app.status.health.status "Healthy")}}Healthy{{else if eq .app.status.health.status "Degraded"}}Health degraded{{else}}Sync failed{{end}}",
                                  "target_url": "https://argocd.lippok.dev/applications/{{.app.metadata.name}}",
                                  "context": "argocd/{{.app.metadata.name}}"
                                }
                      EOT
                  }
                - triggers      = {
                    - "trigger.on-app-failed"      = <<-EOT
                          - when: app.status.operationState.phase in ['Error', 'Failed'] || app.status.health.status == 'Degraded'
                            send: [discord-alert]
                      EOT
                    - "trigger.on-health-degraded" = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.health.status == 'Degraded'
                            send: [github-commit-status]
                      EOT
                    - "trigger.on-sync-failed"     = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.operationState.phase in ['Error', 'Failed']
                            send: [github-commit-status]
                      EOT
                    - "trigger.on-sync-running"    = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.operationState != nil && app.status.operationState.phase in ['Running']
                            send: [github-commit-status]
                      EOT
                    - "trigger.on-sync-succeeded"  = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.operationState.phase in ['Succeeded'] && app.status.health.status == 'Healthy'
                            send: [github-commit-status]
                      EOT
                  }
              }
            - redis          = {
                - enabled      = true
                - volumeMounts = [
                    - {
                        - mountPath = "/data"
                        - name      = "redis-data"
                      },
                  ]
                - volumes      = [
                    - {
                        - emptyDir = {
                            - medium    = "Memory"
                            - sizeLimit = "1Gi"
                          }
                        - name     = "redis-data"
                      },
                  ]
              }
            - redis-ha       = {
                - enabled = false
              }
            - repoServer     = {
                - env            = [
                    - {
                        - name  = "TMPDIR"
                        - value = "/nfs-tmp"
                      },
                  ]
                - initContainers = [
                    - {
                        - command         = [
                            - "sh",
                            - "-c",
                            - "chown 999:999 /nfs-tmp && chmod 777 /nfs-tmp",
                          ]
                        - image           = "busybox"
                        - name            = "fix-nfs-permissions"
                        - securityContext = {
                            - runAsUser = 0
                          }
                        - volumeMounts    = [
                            - {
                                - mountPath = "/nfs-tmp"
                                - name      = "nfs-tmp"
                              },
                          ]
                      },
                  ]
                - volumeMounts   = [
                    - {
                        - mountPath = "/nfs-tmp"
                        - name      = "nfs-tmp"
                      },
                  ]
                - volumes        = [
                    - {
                        - name                  = "nfs-tmp"
                        - persistentVolumeClaim = {
                            - claimName = "argocd-repo-server-nfs"
                          }
                      },
                  ]
              }
            - server         = {
                - extraArgs = [
                    - "--insecure",
                  ]
              }
          }
      ) -> (known after apply)
!     version        = "9.4.17" -> (known after apply)
  } -> (known after apply)
  name                       = "argocd"
! version                    = "9.4.17" -> "9.5.9"
  # (28 unchanged attributes hidden)

helm_release.cert_manager

! id                         = "cert-manager" -> (known after apply)
! metadata                   = {
!     app_version    = "v1.20.1" -> (known after apply)
!     chart          = "cert-manager" -> (known after apply)
!     first_deployed = 1770562151 -> (known after apply)
!     last_deployed  = 1775345185 -> (known after apply)
!     name           = "cert-manager" -> (known after apply)
!     namespace      = "cert-manager" -> (known after apply)
!     notes          = <<-EOT
          cert-manager v1.20.1 has been deployed successfully!
          
          In order to begin issuing certificates, you will need to set up a ClusterIssuer
          or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
          
          More information on the different types of issuers and how to configure them
          can be found in our documentation:
          
          https://cert-manager.io/docs/configuration/
          
          For information on how to configure cert-manager to automatically provision
          Certificates for Ingress resources, take a look at the `ingress-shim`
          documentation:
          
          https://cert-manager.io/docs/usage/ingress/
          
          For information on how to configure cert-manager to automatically provision
          Certificates for Gateway API resources, take a look at the `gateway resource`
          documentation:
          
          https://cert-manager.io/docs/usage/gateway/
      EOT -> (known after apply)
!     revision       = 2 -> (known after apply)
!     values         = jsonencode(
          {
            - config = {
                - apiVersion       = "controller.config.cert-manager.io/v1alpha1"
                - enableGatewayAPI = true
                - kind             = "ControllerConfiguration"
              }
            - crds   = {
                - enabled = true
              }
          }
      ) -> (known after apply)
!     version        = "v1.20.1" -> (known after apply)
  } -> (known after apply)
  name                       = "cert-manager"
! version                    = "v1.20.1" -> "v1.20.2"
  # (28 unchanged attributes hidden)

helm_release.cilium

! id                         = "cilium" -> (known after apply)
! metadata                   = {
!     app_version    = "1.19.2" -> (known after apply)
!     chart          = "cilium" -> (known after apply)
!     first_deployed = 1770561953 -> (known after apply)
!     last_deployed  = 1777388715 -> (known after apply)
!     name           = "cilium" -> (known after apply)
!     namespace      = "kube-system" -> (known after apply)
!     notes          = <<-EOT
          You have successfully installed Cilium with Hubble Relay and Hubble UI.
          
          Your release version is 1.19.2.
          
          For any further help, visit https://docs.cilium.io/en/v1.19/gettinghelp
      EOT -> (known after apply)
!     revision       = 41 -> (known after apply)
!     values         = jsonencode(
          {
            - cgroup               = {
                - autoMount = {
                    - enabled = false
                  }
                - hostRoot  = "/sys/fs/cgroup"
              }
            - cluster              = {
                - id   = 1
                - name = "homelab-k8s"
              }
            - clustermesh          = {
                - apiserver    = {
                    - podAnnotations = {
                        - "cilium.io/caBundleChangeRestartedAt" = "2026-04-22T21:31:38Z"
                      }
                    - service        = {
                        - type = "LoadBalancer"
                      }
                    - tls            = {
                        - auto = {
                            - certManagerIssuerRef = {
                                - group = "cert-manager.io"
                                - kind  = "ClusterIssuer"
                                - name  = "internal-ca-issuer"
                              }
                            - certValidityDuration = 90
                            - enabled              = true
                            - method               = "certmanager"
                          }
                      }
                  }
                - config       = {
                    - clusters = []
                    - enabled  = false
                  }
                - mcsapi       = {
                    - enabled = true
                  }
                - useAPIServer = false
              }
            - gatewayAPI           = {
                - enabled = true
              }
            - hubble               = {
                - enabled = true
                - metrics = {
                    - enableOpenMetrics = true
                    - enabled           = [
                        - "dns:query;ignoreAAAA",
                        - "drop",
                        - "tcp",
                        - "icmp",
                      ]
                    - serviceMonitor    = {
                        - enabled  = true
                        - interval = "30s"
                        - labels   = {
                            - release = "kube-prometheus-stack"
                          }
                      }
                  }
                - relay   = {
                    - enabled    = true
                    - prometheus = {
                        - enabled        = true
                        - serviceMonitor = {
                            - enabled  = true
                            - interval = "30s"
                            - labels   = {
                                - release = "kube-prometheus-stack"
                              }
                          }
                      }
                  }
                - tls     = {
                    - auto = {
                        - certManagerIssuerRef = {
                            - group = "cert-manager.io"
                            - kind  = "ClusterIssuer"
                            - name  = "internal-ca-issuer"
                          }
                        - certValidityDuration = 90
                        - enabled              = true
                        - method               = "certmanager"
                      }
                  }
                - ui      = {
                    - enabled = true
                  }
              }
            - ipam                 = {
                - mode = "kubernetes"
              }
            - k8sServiceHost       = "127.0.0.1"
            - k8sServicePort       = 7445
            - kubeProxyReplacement = "true"
            - l2announcements      = {
                - enabled = true
              }
            - operator             = {
                - prometheus = {
                    - enabled        = true
                    - serviceMonitor = {
                        - enabled  = true
                        - interval = "30s"
                        - labels   = {
                            - release = "kube-prometheus-stack"
                          }
                      }
                  }
              }
            - prometheus           = {
                - enabled        = true
                - serviceMonitor = {
                    - enabled  = true
                    - interval = "30s"
                    - labels   = {
                        - release = "kube-prometheus-stack"
                      }
                  }
              }
            - securityContext      = {
                - capabilities = {
                    - ciliumAgent      = [
                        - "CHOWN",
                        - "KILL",
                        - "NET_ADMIN",
                        - "NET_RAW",
                        - "IPC_LOCK",
                        - "SYS_ADMIN",
                        - "SYS_RESOURCE",
                        - "DAC_OVERRIDE",
                        - "FOWNER",
                        - "SETGID",
                        - "SETUID",
                      ]
                    - cleanCiliumState = [
                        - "NET_ADMIN",
                        - "SYS_ADMIN",
                        - "SYS_RESOURCE",
                      ]
                  }
              }
            - tls                  = {
                - ca       = {
                    - cert = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmRENDQVNLZ0F3SUJBZ0lRYU1iTEJjdU9XcW9uTFVNODJob3hPREFLQmdncWhrak9QUVFEQWpBZU1Sd3cKR2dZRFZRUURFeE5vYjIxbGJHRmlMV2x1ZEdWeWJtRnNMV05oTUI0WERUSTJNRFF4T1RJeE5UQXpPVm9YRFRNMgpNRFF4TmpJeE5UQXpPVm93SGpFY01Cb0dBMVVFQXhNVGFHOXRaV3hoWWkxcGJuUmxjbTVoYkMxallUQlpNQk1HCkJ5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCQXB1d2xaT2pZWlplVEFHOFEwelVBSGhxYmlGTWlmZlZDRk0KTjNpeExKUk9MNUYwSWxPejRuZlZqOExML1JJQU1mcFBDYVZJelVWOTIzai9qNWRacXdhalFqQkFNQTRHQTFVZApEd0VCL3dRRUF3SUJoakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlFFZW5KM2dKb0Nray81CnVpbHhtcjFsRTZ4ZHpqQUtCZ2dxaGtqT1BRUURBZ05JQURCRkFpQTRjcmNiSjhLL2pRWTgyTFJMY0t6OC9RdVUKRXMrSHBPQW9YTXlFMSt0ZFN3SWhBT1RWQnliYTJEaUlrcndhRmYwWVlJU1Z5bXNlenpGS3c1a1ZKUE93d3R6YQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
                    - key  = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUFqSi9UdU1wQ0JBVFh5dHpHZEpOVEo4OUtFS1BLZWxqTFl6Y3NLbTdMaFdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFQ203Q1ZrNk5obGw1TUFieERUTlFBZUdwdUlVeUo5OVVJVXczZUxFc2xFNHZrWFFpVTdQaQpkOVdQd3N2OUVnQXgrazhKcFVqTlJYM2JlUCtQbDFtckJnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
                  }
                - caBundle = {
                    - content   = <<-EOT
                          -----BEGIN CERTIFICATE-----
                          MIIBfDCCASKgAwIBAgIQaMbLBcuOWqonLUM82hoxODAKBggqhkjOPQQDAjAeMRww
                          GgYDVQQDExNob21lbGFiLWludGVybmFsLWNhMB4XDTI2MDQxOTIxNTAzOVoXDTM2
                          MDQxNjIxNTAzOVowHjEcMBoGA1UEAxMTaG9tZWxhYi1pbnRlcm5hbC1jYTBZMBMG
                          ByqGSM49AgEGCCqGSM49AwEHA0IABApuwlZOjYZZeTAG8Q0zUAHhqbiFMiffVCFM
                          N3ixLJROL5F0IlOz4nfVj8LL/RIAMfpPCaVIzUV923j/j5dZqwajQjBAMA4GA1Ud
                          DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQEenJ3gJoCkk/5
                          uilxmr1lE6xdzjAKBggqhkjOPQQDAgNIADBFAiA4crcbJ8K/jQY82LRLcKz8/QuU
                          Es+HpOAoXMyE1+tdSwIhAOTVByba2DiIkrwaFf0YYISVymsezzFKw5kVJPOwwtza
                          -----END CERTIFICATE-----
                          -----BEGIN CERTIFICATE-----
                          MIIBfDCCASKgAwIBAgIQaMbLBcuOWqonLUM82hoxODAKBggqhkjOPQQDAjAeMRww
                          GgYDVQQDExNob21lbGFiLWludGVybmFsLWNhMB4XDTI2MDQxOTIxNTAzOVoXDTM2
                          MDQxNjIxNTAzOVowHjEcMBoGA1UEAxMTaG9tZWxhYi1pbnRlcm5hbC1jYTBZMBMG
                          ByqGSM49AgEGCCqGSM49AwEHA0IABApuwlZOjYZZeTAG8Q0zUAHhqbiFMiffVCFM
                          N3ixLJROL5F0IlOz4nfVj8LL/RIAMfpPCaVIzUV923j/j5dZqwajQjBAMA4GA1Ud
                          DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQEenJ3gJoCkk/5
                          uilxmr1lE6xdzjAKBggqhkjOPQQDAgNIADBFAiA4crcbJ8K/jQY82LRLcKz8/QuU
                          Es+HpOAoXMyE1+tdSwIhAOTVByba2DiIkrwaFf0YYISVymsezzFKw5kVJPOwwtza
                          -----END CERTIFICATE-----
                          
                          -----BEGIN CERTIFICATE-----
                          MIIDFDCCAfygAwIBAgIRAJXBbQTS+sMvtj+J89ZZvX4wDQYJKoZIhvcNAQELBQAw
                          FDESMBAGA1UEAxMJQ2lsaXVtIENBMB4XDTI2MDQxMDEwNTQzMVoXDTI5MDQwOTEw
                          NTQzMVowFDESMBAGA1UEAxMJQ2lsaXVtIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
                          AQ8AMIIBCgKCAQEAtxyIOV4aRrd13VncGSYBzQ45TkbhU2xAELCo6ijtXhtCsvTV
                          rGzzMDCSFypy/3UnhQ6J1H/oHI+200j9elQCldG7OFndy1SrFcTIbIoFo9Mllc3r
                          GZM0wbzuWN/owx6+WEooZdKmGEKygHnF1Lqe5Q2p9TEnJmnTmmq/E6/i8MhOhPTk
                          zB0vQ2vB/m1uAGYed+/F9k1v1KAtyoOAJ7H47nmvDbmwZUXIdDUN6fMKbzzCb4re
                          +vhNHxhsKYrt6/ywIPcWBv1keacFzsmOg1C8ZtDLO9XtHsU+/6Zv3FzTH3jiZY6h
                          pvIrfvIta1roSeNPxELKNPBy0oER5V3ywCZV7wIDAQABo2EwXzAOBgNVHQ8BAf8E
                          BAMCAqQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQF
                          MAMBAf8wHQYDVR0OBBYEFFOZK0o7WqLYici0MlBwVwko+xlkMA0GCSqGSIb3DQEB
                          CwUAA4IBAQAbaccj94AZ/k7djpOJ3w6n7BZbYgTeWIe7NRFTAny/MYBYGmrqmp2I
                          AvNS7/pPXIKDZwY28BUoz2x4NXbnrwNmCCX7b6foEX6Qux8hETyUQNmL/9W286kQ
                          Uy1AgJLBkUglnfOBpNwFscaA94hz4+IoP7ZtFR2nNwWuRgvAtEhlw7MQ9BcT7NID
                          rP1Tdy50siJSP9K69in02r5mJL8qINW5HGbTjP8iA0Y7dSZrlJ4Pb3REJaKWh9Pj
                          9zJVGADYfBSY9KPlHV+j8a6s6v4PAQ+5OeWG92UL0LmkAacTiXyGy9YCOHhW6lIs
                          MvySIW+CtHEnguwWYEXNfbJrHB1i8hrp
                          -----END CERTIFICATE-----
                          -----BEGIN CERTIFICATE-----
                          MIIDFDCCAfygAwIBAgIRAJXBbQTS+sMvtj+J89ZZvX4wDQYJKoZIhvcNAQELBQAw
                          FDESMBAGA1UEAxMJQ2lsaXVtIENBMB4XDTI2MDQxMDEwNTQzMVoXDTI5MDQwOTEw
                          NTQzMVowFDESMBAGA1UEAxMJQ2lsaXVtIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
                          AQ8AMIIBCgKCAQEAtxyIOV4aRrd13VncGSYBzQ45TkbhU2xAELCo6ijtXhtCsvTV
                          rGzzMDCSFypy/3UnhQ6J1H/oHI+200j9elQCldG7OFndy1SrFcTIbIoFo9Mllc3r
                          GZM0wbzuWN/owx6+WEooZdKmGEKygHnF1Lqe5Q2p9TEnJmnTmmq/E6/i8MhOhPTk
                          zB0vQ2vB/m1uAGYed+/F9k1v1KAtyoOAJ7H47nmvDbmwZUXIdDUN6fMKbzzCb4re
                          +vhNHxhsKYrt6/ywIPcWBv1keacFzsmOg1C8ZtDLO9XtHsU+/6Zv3FzTH3jiZY6h
                          pvIrfvIta1roSeNPxELKNPBy0oER5V3ywCZV7wIDAQABo2EwXzAOBgNVHQ8BAf8E
                          BAMCAqQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQF
                          MAMBAf8wHQYDVR0OBBYEFFOZK0o7WqLYici0MlBwVwko+xlkMA0GCSqGSIb3DQEB
                          CwUAA4IBAQAbaccj94AZ/k7djpOJ3w6n7BZbYgTeWIe7NRFTAny/MYBYGmrqmp2I
                          AvNS7/pPXIKDZwY28BUoz2x4NXbnrwNmCCX7b6foEX6Qux8hETyUQNmL/9W286kQ
                          Uy1AgJLBkUglnfOBpNwFscaA94hz4+IoP7ZtFR2nNwWuRgvAtEhlw7MQ9BcT7NID
                          rP1Tdy50siJSP9K69in02r5mJL8qINW5HGbTjP8iA0Y7dSZrlJ4Pb3REJaKWh9Pj
                          9zJVGADYfBSY9KPlHV+j8a6s6v4PAQ+5OeWG92UL0LmkAacTiXyGy9YCOHhW6lIs
                          MvySIW+CtHEnguwWYEXNfbJrHB1i8hrp
                          -----END CERTIFICATE-----
                      EOT
                    - enabled   = true
                    - key       = "ca.crt"
                    - name      = "cilium-root-ca.crt"
                    - useSecret = false
                  }
              }
          }
      ) -> (known after apply)
!     version        = "1.19.2" -> (known after apply)
  } -> (known after apply)
  name                       = "cilium"
! values                     = [
!     (sensitive value),
  ]
! version                    = "1.19.2" -> "1.19.3"
  # (27 unchanged attributes hidden)

helm_release.csi_driver_nfs

! id                         = "csi-driver-nfs" -> (known after apply)
! metadata                   = {
!     app_version    = "4.13.1" -> (known after apply)
!     chart          = "csi-driver-nfs" -> (known after apply)
!     first_deployed = 1770561951 -> (known after apply)
!     last_deployed  = 1775344870 -> (known after apply)
!     name           = "csi-driver-nfs" -> (known after apply)
!     namespace      = "kube-system" -> (known after apply)
!     notes          = <<-EOT
          The CSI NFS Driver is getting deployed to your cluster.
          
          To check CSI NFS Driver pods status, please run:
          
            kubectl --namespace=kube-system get pods --selector="app.kubernetes.io/instance=csi-driver-nfs" --watch
      EOT -> (known after apply)
!     revision       = 2 -> (known after apply)
!     values         = jsonencode({}) -> (known after apply)
!     version        = "4.13.1" -> (known after apply)
  } -> (known after apply)
  name                       = "csi-driver-nfs"
! version                    = "4.13.1" -> "4.13.2"
  # (27 unchanged attributes hidden)

helm_release.external_secrets

! id                         = "external-secrets" -> (known after apply)
! metadata                   = {
!     app_version    = "v2.2.0" -> (known after apply)
!     chart          = "external-secrets" -> (known after apply)
!     first_deployed = 1772488004 -> (known after apply)
!     last_deployed  = 1775345185 -> (known after apply)
!     name           = "external-secrets" -> (known after apply)
!     namespace      = "external-secrets" -> (known after apply)
!     notes          = <<-EOT
          external-secrets has been deployed successfully in namespace external-secrets!
          
          In order to begin using ExternalSecrets, you will need to set up a SecretStore
          or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
          
          More information on the different types of SecretStores and how to configure them
          can be found in our Github: https://github.com/external-secrets/external-secrets
      EOT -> (known after apply)
!     revision       = 3 -> (known after apply)
!     values         = jsonencode(
          {
            - installCRDs = true
          }
      ) -> (known after apply)
!     version        = "2.2.0" -> (known after apply)
  } -> (known after apply)
  name                       = "external-secrets"
! version                    = "2.2.0" -> "2.4.1"
  # (28 unchanged attributes hidden)

---

Triggered by @renovate[bot], Commit: 8340b2dedfc4d90027186ad6fb75702ffefa4492