feat(helm)!: Update chart external-secrets to 2.4.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
external-secrets	major	0.9.18 → 2.4.1

---

Release Notes

external-secrets/external-secrets (external-secrets)

v2.4.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.4.1
Image: ghcr.io/external-secrets/external-secrets:v2.4.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.4.1-ubi-boringssl

What's Changed

General

• chore: release chart for v2.4.0 by @​Skarlso in #​6277
• feat(gcp): support multiple replicationLocations on PushSecret by @​alliasgher in #​6225
• feat(passbolt): add custom CA bundle / CA provider support by @​alliasgher in #​6224
• feat(azure): add contentType support for PushSecret by @​ppatel1604 in #​6249
• feat(charts): add liveness probes to cert-controller and webhook by @​mattcarp12 in #​6147
• fix: prevent creation of specific type of secrets by @​Skarlso in #​6280

Dependencies

• chore(deps): bump golang from f853308 to f853308 by @​dependabot[bot] in #​6282
• chore(deps): bump alpine from 2510918 to 5b10f43 in /hack/api-docs by @​dependabot[bot] in #​6285
• chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0 by @​dependabot[bot] in #​6283
• chore(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 by @​dependabot[bot] in #​6284
• chore(deps): bump ubi9/ubi from cf13fe2 to fd3612e by @​dependabot[bot] in #​6281

Full Changelog: external-secrets/external-secrets@v2.4.0...v2.4.1

v2.4.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.4.0
Image: ghcr.io/external-secrets/external-secrets:v2.4.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.4.0-ubi-boringssl

What's Changed

General

• chore: release helm chart for v2.3.0 by @​Skarlso in #​6204
• fix(docs): hide Scarf tracking pixel to remove page whitespace by @​ppatel1604 in #​6209
• docs: Add Grafana generator documentation by @​jaruwat-panturat in #​6227
• docs: add TLS certificate authentication example for Vault provider by @​alliasgher in #​6212
• docs(cloudsmith): Improve cloudsmith generator documentation by @​cloudsmith-iduffy in #​6232
• docs: add missing specs to GeneratorSpec example by @​jaruwat-panturat in #​6236
• feat(keeper): implement get secret by id or name by @​tiberiuv in #​6163
• chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by @​DelineaSahilWankhede in #​6240
• docs(release): update documentation links from /main to /latest by @​cinpol in #​6210
• fix: CAProvider cm access by @​moolen in #​6246
• fix(chart): add failurePolicy to ClusterSecretStore webhook by @​ryanjwong in #​6247
• feat(dvls): add name support for entries by @​rbstp in #​6099
• fix(akeyless): upgrade akeyless-go-cloud-id to v0.3.7 by @​alikdolg in #​6248
• chore(deps): bump azure/setup-helm from 3.5 to 5 by @​dependabot[bot] in #​6258
• fix: do not set tags if undefined by @​Skarlso in #​6103
• fix(conjur): return error for unimplemented PushSecret and DeleteSecret by @​antonio-mazzini in #​6266
• docs: Enhance ClusterExternalSecret documentation with "fan-out" approach by @​jaruwat-panturat in #​6241
• feat: add --leader-election-id flag to support HA deployments by @​mattcarp12 in #​6148
• feat(bug): Fix CVE-2026-34165, CVE-2026-33762 and GHSA-3xc5-wrhm-f963 by @​othomann in #​6271
• feat: enhance VaultDynamicSecret GET method to support parameters from the spec by @​samm-git in #​6267
• fix: use a separate parameter for GET calls in VaultDynamicSecrets by @​Skarlso in #​6275

Dependencies

• chore(deps): bump golang from c2a1f7b to c2a1f7b by @​dependabot[bot] in #​6214
• chore(deps): bump platformdirs from 4.9.4 to 4.9.6 in /hack/api-docs by @​dependabot[bot] in #​6219
• chore(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in #​6216
• chore(deps): bump codelytv/pr-size-labeler from 1.10.3 to 1.10.4 by @​dependabot[bot] in #​6221
• chore(deps): bump ubi9/ubi from 9e6e193 to 039095f by @​dependabot[bot] in #​6213
• chore(deps): bump importlib-resources from 6.5.2 to 7.1.0 in /hack/api-docs by @​dependabot[bot] in #​6220
• chore(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​6215
• chore(deps): bump step-security/harden-runner from 2.16.1 to 2.17.0 by @​dependabot[bot] in #​6217
• chore(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​6218
• chore(deps): bump azure/setup-helm from 3.4 to 3.5 by @​dependabot[bot] in #​6222
• chore(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @​dependabot[bot] in #​6223
• chore(deps): bump golang from c2a1f7b to f853308 by @​dependabot[bot] in #​6252
• chore(deps): bump alpine from 3.23.3 to 3.23.4 in /e2e by @​dependabot[bot] in #​6261
• chore(deps): bump step-security/harden-runner from 2.17.0 to 2.19.0 by @​dependabot[bot] in #​6254
• chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 by @​dependabot[bot] in #​6257
• chore(deps): bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] in #​6259
• chore(deps): bump github/codeql-action from 4.35.1 to 4.35.2 by @​dependabot[bot] in #​6255
• chore(deps): bump packaging from 26.0 to 26.1 in /hack/api-docs by @​dependabot[bot] in #​6263
• chore(deps): bump zipp from 3.23.0 to 3.23.1 in /hack/api-docs by @​dependabot[bot] in #​6262
• chore(deps): bump alpine from 2510918 to 5b10f43 by @​dependabot[bot] in #​6251
• chore(deps): bump ubi9/ubi from 039095f to cf13fe2 by @​dependabot[bot] in #​6253
• chore(deps): bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 by @​dependabot[bot] in #​6260
• chore(deps): bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @​dependabot[bot] in #​6256

New Contributors

• @​alliasgher made their first contribution in #​6212
• @​tiberiuv made their first contribution in #​6163
• @​cinpol made their first contribution in #​6210
• @​ryanjwong made their first contribution in #​6247
• @​alikdolg made their first contribution in #​6248
• @​antonio-mazzini made their first contribution in #​6266
• @​mattcarp12 made their first contribution in #​6148

Full Changelog: external-secrets/external-secrets@v2.3.0...v2.4.0

v2.3.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.3.0
Image: ghcr.io/external-secrets/external-secrets:v2.3.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.3.0-ubi-boringssl

What's Changed

General

• chore: release charts v2.2.0 by @​riccardomc in #​6115
• ref(modernize): modernize go code by @​ivankatliarchuk in #​6114
• chore: bump bitwarden helm chart version to v0.6.0 by @​Skarlso in #​6118
• chore: fix EoL in compatiblity table for version 2.2 by @​riccardomc in #​6128
• docs: add missing jinja2 tags by @​MindTooth in #​6136
• fix: cached uid after deleting a store by @​Skarlso in #​6138
• feat(doppler): add ETag-based caching by @​mikesellitto in #​5997
• fix(docs): fix metadata structure in Google Secrets Manager docs by @​mruoss in #​6139
• feat: ovh provider implementation by @​ldesauw in #​6101
• feat(providers): Implement PushSecret for Delinea Secret Server by @​pr0ton11 in #​6031
• fix: propagate objectMeta and ownerReferences to target resources by @​jaruwat-panturat in #​6132
• fix(release): remove docs.check and all relative calls by @​jaruwat-panturat in #​6146
• feat: support service account impersonation when using Workload Identity Federation with a k8s service account by @​zoomoid in #​5707
• fix: remove getHostByName from template funcs by @​moolen in #​6164
• ref(kubernetes): move auth package from kubernetes to esutils by @​alekc in #​6149
• docs: fix templating.md by @​dangbert in #​6168
• fix(onepasswordsdk): support native 1Password item IDs in findItem by @​LeahArmstrong in #​6167
• docs(ovhcloud): fix heterogeneous configuration documentation by @​ldesauw in #​6169
• docs: add OVHcloud in ADOPTERS by @​scraly in #​6172
• fix(docs): resolve macro syntax error in templating guide by @​ManvithaP-hub in #​6171
• chore: rip out sprig dependency by @​Skarlso in #​6170
• chore: fix jose cve by @​Skarlso in #​6178
• docs: document correct htpasswd function usage by @​Atomsoldat in #​6177
• feat(pushsecret): add dataTo support for bulk secret pushing by @​mohamed-rekiba in #​5850
• docs: add existing blog post: ESO integration with ovhcloud secret manager with vault provider by @​scraly in #​6190
• feat: move experimental-enable-vault-token-cache out of experimental and add expiry to validation by @​sfotony in #​5397
• fix: prevent feedback loop by @​moolen in #​6021
• fix: code scanning issues by @​Skarlso in #​6063
• feat: add source null byte policy by @​knelasevero in #​6194
• fix(test): fix broken test from automerge rebase by @​knelasevero in #​6199
• fix(aws): handle empty resource policy in PushSecret for SecretsManager by @​maks3201 in #​6145
• feat(github): add orgSecretVisibility field to GithubProvider by @​iamnoah in #​6202
• feat(onepasswordSDK): multi-field and complete PushSecret by @​Dariusch in #​6187
• feat(vault): add VaultRole attribute for TLS auth by @​RicoGunawan12 in #​6160
• chore: bump go version to 1.26.2 by @​Skarlso in #​6203

Dependencies

• chore(deps): bump actions/cache from 5.0.3 to 5.0.4 by @​dependabot[bot] in #​6121
• chore(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /hack/api-docs by @​dependabot[bot] in #​6125
• chore(deps): bump ubi9/ubi from 6ed9f6f to 1fc04e8 by @​dependabot[bot] in #​6119
• chore(deps): bump azure/login from 2.3.0 to 3.0.0 by @​dependabot[bot] in #​6120
• chore(deps): bump codecov/codecov-action from 5.5.2 to 5.5.3 by @​dependabot[bot] in #​6124
• chore(deps): bump github/codeql-action from 4.32.6 to 4.34.1 by @​dependabot[bot] in #​6122
• chore(deps): bump anchore/sbom-action from 0.23.1 to 0.24.0 by @​dependabot[bot] in #​6123
• chore(deps): bump importlib-metadata from 8.7.1 to 9.0.0 in /hack/api-docs by @​dependabot[bot] in #​6126
• chore(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​6154
• chore(deps): bump pymdown-extensions from 10.21 to 10.21.2 in /hack/api-docs by @​dependabot[bot] in #​6157
• chore(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in #​6151
• chore(deps): bump github/codeql-action from 4.34.1 to 4.35.1 by @​dependabot[bot] in #​6152
• chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 by @​dependabot[bot] in #​6153
• chore(deps): bump pygments from 2.19.2 to 2.20.0 in /hack/api-docs by @​dependabot[bot] in #​6155
• chore(deps): bump regex from 2026.2.28 to 2026.3.32 in /hack/api-docs by @​dependabot[bot] in #​6156
• chore(deps): bump requests from 2.32.5 to 2.33.0 in /hack/api-docs by @​dependabot[bot] in #​6158
• chore(deps): bump ubi9/ubi from 1fc04e8 to 9e6e193 by @​dependabot[bot] in #​6150
• chore(deps): bump step-security/harden-runner from 2.16.0 to 2.16.1 by @​dependabot[bot] in #​6180
• chore(deps): bump charset-normalizer from 3.4.6 to 3.4.7 in /hack/api-docs by @​dependabot[bot] in #​6183
• chore(deps): bump click from 8.3.1 to 8.3.2 in /hack/api-docs by @​dependabot[bot] in #​6185
• chore(deps): bump fossas/fossa-action from 1.8.0 to 1.9.0 by @​dependabot[bot] in #​6181
• chore(deps): bump docker/login-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​6182
• chore(deps): bump regex from 2026.3.32 to 2026.4.4 in /hack/api-docs by @​dependabot[bot] in #​6184

New Contributors

• @​MindTooth made their first contribution in #​6136
• @​ldesauw made their first contribution in #​6101
• @​pr0ton11 made their first contribution in #​6031
• @​zoomoid made their first contribution in #​5707
• @​dangbert made their first contribution in #​6168
• @​LeahArmstrong made their first contribution in #​6167
• @​scraly made their first contribution in #​6172
• @​ManvithaP-hub made their first contribution in #​6171
• @​Atomsoldat made their first contribution in #​6177
• @​mohamed-rekiba made their first contribution in #​5850
• @​sfotony made their first contribution in #​5397
• @​maks3201 made their first contribution in #​6145
• @​iamnoah made their first contribution in #​6202
• @​RicoGunawan12 made their first contribution in #​6160

Full Changelog: external-secrets/external-secrets@v2.2.0...v2.3.0

v2.2.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.2.0
Image: ghcr.io/external-secrets/external-secrets:v2.2.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl

What's Changed

General

• chore: release charts v2.1.0 by @​Skarlso in #​6030
• chore: fix the stability doc by @​Skarlso in #​6035
• fix(security): Fix vulnerabilities by @​othomann in #​6052
• fix(aws): sync tags and resource policy even when secret value unchanged by @​evs-secops in #​6025
• fix: publish now uses docker build v4 which required some changes by @​Skarlso in #​6062
• feat(gcpsm): auto-detect projectID from GCP metadata server by @​patjlm in #​5922
• chore(templating): Remove years in license and their checks by @​evrardj-roche in #​5955
• docs: Add Roche to official ADOPTERS by @​evrardj-roche in #​6076
• feat: Add Last Sync column to ExternalSecret and PushSecret printers by @​jaruwat-panturat in #​6068
• fix(onepassword): support native item IDs by @​chadxz in #​6073
• feat: extract LGTM processor to external JS file with tests by @​mateenali66 in #​6074
• feat: fail fast if LGTM label does not exist in repository by @​mateenali66 in #​6078
• feat(passbolt): add support for Passbolt V5 API by @​cedricherzog-passbolt in #​5919
• fix(infisical): dataFrom.find.path should filter by secret path not name by @​johnvox in #​6086
• fix: disable the priority queue which misbehaves at scale by @​Skarlso in #​6083
• chore: update go version to 1.26.1 by @​Skarlso in #​6072
• docs(aws): fix PushSecret metadata indentation in resource policy exa... by @​Br1an67 in #​6056
• fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by @​Br1an67 in #​6036
• feat(templating): Add certSANs function to extract SANs from certificates by @​mzdeb in #​6058
• docs: document template.metadata labels/annotations behavior by @​lucpas in #​6102
• fix: CODEOWNERS are seriously out of date by @​Skarlso in #​6106
• feat(helm): add readinessProbe support for external-secrets deployment by @​AlexOQ in #​5831
• fix: update grpc for CVE-2026-33186 by @​Skarlso in #​6108
• feat(azurekv): add expiration time to azure kv secret by @​muraliavarma in #​5935
• feat: add path to cloud.ru provider by @​heavyandrew in #​5952
• fix(add-eso-version): fix separator line pattern in add_eso_version.sh script by @​riccardomc in #​6113

Dependencies

• chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by @​dependabot[bot] in #​6038
• chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by @​dependabot[bot] in #​6047
• chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by @​dependabot[bot] in #​6050
• chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by @​dependabot[bot] in #​6049
• chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by @​dependabot[bot] in #​6039
• chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by @​dependabot[bot] in #​6043
• chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @​dependabot[bot] in #​6040
• chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by @​dependabot[bot] in #​6044
• chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by @​dependabot[bot] in #​6042
• chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by @​dependabot[bot] in #​6041
• chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by @​dependabot[bot] in #​6046
• chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by @​dependabot[bot] in #​6048
• chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by @​dependabot[bot] in #​6093
• chore(deps): bump distroless/static from 28efbe9 to 47b2d72 by @​dependabot[bot] in #​6088
• chore(deps): bump ubi9/ubi from cecb1cd to 6ed9f6f by @​dependabot[bot] in #​6087
• chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by @​dependabot[bot] in #​6096
• chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by @​dependabot[bot] in #​6094
• chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by @​dependabot[bot] in #​6095
• chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by @​dependabot[bot] in #​6089
• chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​6092
• chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @​dependabot[bot] in #​6090
• chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @​dependabot[bot] in #​6091

New Contributors

• @​othomann made their first contribution in #​6052
• @​evs-secops made their first contribution in #​6025
• @​patjlm made their first contribution in #​5922
• @​jaruwat-panturat made their first contribution in #​6068
• @​chadxz made their first contribution in #​6073
• @​mateenali66 made their first contribution in #​6074
• @​cedricherzog-passbolt made their first contribution in #​5919
• @​johnvox made their first contribution in #​6086
• @​Br1an67 made their first contribution in #​6056
• @​mzdeb made their first contribution in #​6058
• @​lucpas made their first contribution in #​6102
• @​AlexOQ made their first contribution in #​5831
• @​muraliavarma made their first contribution in #​5935
• @​heavyandrew made their first contribution in #​5952

Full Changelog: external-secrets/external-secrets@v2.1.0...v2.2.0

v2.1.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.1.0
Image: ghcr.io/external-secrets/external-secrets:v2.1.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringssl

What's Changed

General

• chore(release): Update helm chart by @​evrardj-roche in #​5981
• fix: cosign verify does not use signing config by @​gusfcarvalho in #​5982
• docs: Update release process by @​evrardj-roche in #​5980
• fix: allow cross-namespace push with ClusterSecretStore objects by @​Skarlso in #​5998
• feat(charts): add new flag enable leader for cert-manager by @​nutmos in #​5863
• feat(kubernetes): fall back to system CA roots when no CA is configured by @​rajsinghtech in #​5961
• feat: dedup sbom but keep it monolithic by @​moolen in #​6004
• fix: add missing metrics and fundamentally fix the caching logic by @​Skarlso in #​5894
• docs: designate Oracle Vault provider as 'stable' by @​anders-swanson in #​6020
• docs: Oracle Vault provider capabilities by @​anders-swanson in #​6023
• docs(azurekv): cert-manager pushsecret example and cleanups by @​illrill in #​5972
• feat(kubernetes): implement SecretExists by @​Saku2 in #​5973
• fix(charts): Fix wrongly set annotations for cert-controller metrics service by @​josemaia in #​6029
• feat(providers): Nebius MysteryBox integration by @​greenmapc in #​5868

Dependencies

• chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by @​dependabot[bot] in #​5986
• chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in /hack/api-docs by @​dependabot[bot] in #​5992
• chore(deps): bump ubi9/ubi from b8923f5 to cecb1cd by @​dependabot[bot] in #​5984
• chore(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by @​dependabot[bot] in #​5985
• chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in #​5990
• chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by @​dependabot[bot] in #​5989
• chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by @​dependabot[bot] in #​5987
• chore(deps): bump regex from 2026.1.15 to 2026.2.19 in /hack/api-docs by @​dependabot[bot] in #​5991
• chore(deps): bump actions/stale from 10.1.1 to 10.2.0 by @​dependabot[bot] in #​5988
• chore(deps): bump regex from 2026.2.19 to 2026.2.28 in /hack/api-docs by @​dependabot[bot] in #​6012
• chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in /hack/api-docs by @​dependabot[bot] in #​6014
• chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by @​dependabot[bot] in #​6015
• chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by @​dependabot[bot] in #​6016
• chore(deps): bump certifi from 2026.1.4 to 2026.2.25 in /hack/api-docs by @​dependabot[bot] in #​6013
• chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​6010
• chore(deps): bump hashicorp/setup-terraform from ce70bcf to 5e8dbf3 by @​dependabot[bot] in #​6011
• chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by @​dependabot[bot] in #​6009
• chore(deps): bump distroless/static from 972618c to 28efbe9 by @​dependabot[bot] in #​6008

New Contributors

• @​nutmos made their first contribution in #​5863
• @​rajsinghtech made their first contribution in #​5961
• @​illrill made their first contribution in #​5972
• @​Saku2 made their first contribution in #​5973
• @​greenmapc made their first contribution in #​5868

Full Changelog: external-secrets/external-secrets@v2.0.1...v2.1.0

v2.0.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.0.1
Image: ghcr.io/external-secrets/external-secrets:v2.0.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.0.1-ubi-boringssl

BREAKING CHANGE

The sprig update is actually a breaking change. It turns out that some of the functions in templating changed with this update.

What's Changed

General

• chore: release helm chart for v2.0.0 by @​Skarlso in #​5932
• docs: update the stability doc with the new version by @​Skarlso in #​5933
• chore(doc): add loblaw to adopter md by @​FZhg in #​5937
• chore: bump golang to 1.25.7 because of cve by @​Skarlso in #​5938
• fix: deleting the whole secret when it is empty by @​Skarlso in #​5927
• chore: update controller runtime by @​Skarlso in #​5930
• fix: update cosign and syft for signing by @​Skarlso in #​5958
• fix: the informer can not register use GetInformer instead by @​Skarlso in #​5931
• fix: attempt to fix cosign compatibility issues by @​gusfcarvalho in #​5959
• chore: remove outdated info from stability doc by @​Skarlso in #​5971
• chore(deps): update Masterminds/sprig to 8cb06fe… by @​tete17 in #​5747
• docs(release): Update support matrix by @​evrardjp in #​5978

Dependencies

• chore(deps): bump golang from 20c8a94 to f6751d8 by @​dependabot[bot] in #​5940
• chore(deps): bump ubi9/ubi from c8df11b to b8923f5 by @​dependabot[bot] in #​5939
• chore(deps): bump distroless/static from cd64bec to 972618c by @​dependabot[bot] in #​5941
• chore(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by [@​dependabot](https://redirect.g

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-cert-controller

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-cert-controller

@@ -20,21 +20,37 @@

   - patch
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
   - validatingwebhookconfigurations
   verbs:
-  - get
   - list
   - watch
+  - get
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  resourceNames:
+  - secretstore-validate
+  - externalsecret-validate
+  verbs:
   - update
   - patch
 - apiGroups:
   - ''
   resources:
   - endpoints
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
   verbs:
   - list
   - get
   - watch
 - apiGroups:
   - ''
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-controller

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-controller

@@ -13,12 +13,13 @@

   resources:
   - secretstores
   - clustersecretstores
   - externalsecrets
   - clusterexternalsecrets
   - pushsecrets
+  - clusterpushsecrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - external-secrets.io
@@ -35,26 +36,51 @@

   - clusterexternalsecrets
   - clusterexternalsecrets/status
   - clusterexternalsecrets/finalizers
   - pushsecrets
   - pushsecrets/status
   - pushsecrets/finalizers
+  - clusterpushsecrets
+  - clusterpushsecrets/status
+  - clusterpushsecrets/finalizers
   verbs:
+  - get
   - update
   - patch
 - apiGroups:
   - generators.external-secrets.io
   resources:
+  - generatorstates
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+  - deletecollection
+- apiGroups:
+  - generators.external-secrets.io
+  resources:
   - acraccesstokens
+  - cloudsmithaccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
+  - quayaccesstokens
   - passwords
+  - sshkeys
+  - stssessiontokens
+  - uuids
   - vaultdynamicsecrets
   - webhooks
+  - grafanas
+  - mfas
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
@@ -62,12 +88,19 @@

   - serviceaccounts
   - namespaces
   verbs:
   - get
   - list
   - watch
+- apiGroups:
+  - ''
+  resources:
+  - namespaces
+  verbs:
+  - update
+  - patch
 - apiGroups:
   - ''
   resources:
   - configmaps
   verbs:
   - get
@@ -103,7 +136,15 @@

   resources:
   - externalsecrets
   verbs:
   - create
   - update
   - delete
+- apiGroups:
+  - external-secrets.io
+  resources:
+  - pushsecrets
+  verbs:
+  - create
+  - update
+  - delete
 
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-view

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-view

@@ -15,26 +15,35 @@

   - external-secrets.io
   resources:
   - externalsecrets
   - secretstores
   - clustersecretstores
   - pushsecrets
+  - clusterpushsecrets
   verbs:
   - get
   - watch
   - list
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - cloudsmithaccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
+  - quayaccesstokens
   - passwords
+  - sshkeys
   - vaultdynamicsecrets
   - webhooks
+  - grafanas
+  - generatorstates
+  - mfas
+  - uuids
   verbs:
   - get
   - watch
   - list
 
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-edit

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-edit

@@ -14,29 +14,38 @@

   - external-secrets.io
   resources:
   - externalsecrets
   - secretstores
   - clustersecretstores
   - pushsecrets
+  - clusterpushsecrets
   verbs:
   - create
   - delete
   - deletecollection
   - patch
   - update
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - cloudsmithaccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
+  - quayaccesstokens
   - passwords
+  - sshkeys
   - vaultdynamicsecrets
   - webhooks
+  - grafanas
+  - generatorstates
+  - mfas
+  - uuids
   verbs:
   - create
   - delete
   - deletecollection
   - patch
   - update
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-servicebindings

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-servicebindings

@@ -10,11 +10,12 @@

     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups:
   - external-secrets.io
   resources:
   - externalsecrets
+  - pushsecrets
   verbs:
   - get
   - list
   - watch
 
--- HelmRelease: security/external-secrets Service: security/external-secrets-webhook

+++ HelmRelease: security/external-secrets Service: security/external-secrets-webhook

@@ -10,13 +10,13 @@

     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
   type: ClusterIP
   ports:
   - port: 443
-    targetPort: 10250
+    targetPort: webhook
     protocol: TCP
     name: webhook
   selector:
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: external-secrets
 
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

@@ -34,28 +34,37 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.9.18
+        image: ghcr.io/external-secrets/external-secrets:v2.4.1
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=security
         - --secret-name=external-secrets-webhook
         - --secret-namespace=security
         - --metrics-addr=:8080
         - --healthz-addr=:8081
+        - --loglevel=info
+        - --zap-time-encoding=epoch
+        - --enable-partial-cache=true
         ports:
         - containerPort: 8080
           protocol: TCP
           name: metrics
+        - containerPort: 8081
+          protocol: TCP
+          name: ready
         readinessProbe:
           httpGet:
-            port: 8081
+            port: ready
             path: /readyz
           initialDelaySeconds: 20
           periodSeconds: 5
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
 
--- HelmRelease: security/external-secrets Deployment: security/external-secrets

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets

@@ -34,17 +34,19 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.9.18
+        image: ghcr.io/external-secrets/external-secrets:v2.4.1
         imagePullPolicy: IfNotPresent
         args:
         - --concurrent=1
         - --metrics-addr=:8080
+        - --loglevel=info
+        - --zap-time-encoding=epoch
         ports:
         - containerPort: 8080
           protocol: TCP
           name: metrics
       dnsPolicy: ClusterFirst
 
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

@@ -34,35 +34,43 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.9.18
+        image: ghcr.io/external-secrets/external-secrets:v2.4.1
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.security.svc
         - --cert-dir=/tmp/certs
         - --check-interval=5m
         - --metrics-addr=:8080
         - --healthz-addr=:8081
+        - --loglevel=info
+        - --zap-time-encoding=epoch
         ports:
         - containerPort: 8080
           protocol: TCP
           name: metrics
         - containerPort: 10250
           protocol: TCP
           name: webhook
+        - containerPort: 8081
+          protocol: TCP
+          name: ready
         readinessProbe:
           httpGet:
-            port: 8081
+            port: ready
             path: /readyz
           initialDelaySeconds: 20
           periodSeconds: 5
+          timeoutSeconds: 5
+          failureThreshold: 3
+          successThreshold: 1
         volumeMounts:
         - name: certs
           mountPath: /tmp/certs
           readOnly: true
       volumes:
       - name: certs
--- HelmRelease: security/external-secrets ValidatingWebhookConfiguration: security/secretstore-validate

+++ HelmRelease: security/external-secrets ValidatingWebhookConfiguration: security/secretstore-validate

@@ -1,55 +1,60 @@

 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: secretstore-validate
   labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 webhooks:
 - name: validate.secretstore.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
-    - v1beta1
+    - v1
     operations:
     - CREATE
     - UPDATE
     - DELETE
     resources:
     - secretstores
     scope: Namespaced
   clientConfig:
     service:
       namespace: security
       name: external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
+      path: /validate-external-secrets-io-v1-secretstore
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: Fail
 - name: validate.clustersecretstore.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
-    - v1beta1
+    - v1
     operations:
     - CREATE
     - UPDATE
     - DELETE
     resources:
     - clustersecretstores
     scope: Cluster
   clientConfig:
     service:
       namespace: security
       name: external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
+      path: /validate-external-secrets-io-v1-clustersecretstore
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: Fail
 
--- HelmRelease: security/external-secrets ValidatingWebhookConfiguration: security/externalsecret-validate

+++ HelmRelease: security/external-secrets ValidatingWebhookConfiguration: security/externalsecret-validate

@@ -1,32 +1,35 @@

 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: externalsecret-validate
   labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 webhooks:
 - name: validate.externalsecret.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
-    - v1beta1
+    - v1
     operations:
     - CREATE
     - UPDATE
     - DELETE
     resources:
     - externalsecrets
     scope: Namespaced
   clientConfig:
     service:
       namespace: security
       name: external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
+      path: /validate-external-secrets-io-v1-externalsecret
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
   failurePolicy: Fail

[github-actions]

--- kubernetes/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

+++ kubernetes/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

@@ -13,13 +13,13 @@

     spec:
       chart: external-secrets
       sourceRef:
         kind: HelmRepository
         name: external-secrets
         namespace: flux-system
-      version: 0.9.18
+      version: 2.4.1
   install:
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2
   uninstall: