feat(helm)!: Update chart external-secrets ( 0.16.1 → 2.1.0 )

[flkr-23]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
external-secrets	major	0.16.1 → 2.1.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

external-secrets/external-secrets (external-secrets)

v2.1.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.1.0
Image: ghcr.io/external-secrets/external-secrets:v2.1.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.1.0-ubi-boringssl

What's Changed

General

• chore(release): Update helm chart by @​evrardj-roche in #​5981
• fix: cosign verify does not use signing config by @​gusfcarvalho in #​5982
• docs: Update release process by @​evrardj-roche in #​5980
• fix: allow cross-namespace push with ClusterSecretStore objects by @​Skarlso in #​5998
• feat(charts): add new flag enable leader for cert-manager by @​nutmos in #​5863
• feat(kubernetes): fall back to system CA roots when no CA is configured by @​rajsinghtech in #​5961
• feat: dedup sbom but keep it monolithic by @​moolen in #​6004
• fix: add missing metrics and fundamentally fix the caching logic by @​Skarlso in #​5894
• docs: designate Oracle Vault provider as 'stable' by @​anders-swanson in #​6020
• docs: Oracle Vault provider capabilities by @​anders-swanson in #​6023
• docs(azurekv): cert-manager pushsecret example and cleanups by @​illrill in #​5972
• feat(kubernetes): implement SecretExists by @​Saku2 in #​5973
• fix(charts): Fix wrongly set annotations for cert-controller metrics service by @​josemaia in #​6029
• feat(providers): Nebius MysteryBox integration by @​greenmapc in #​5868

Dependencies

• chore(deps): bump aquasecurity/trivy-action from 0.34.0 to 0.34.1 by @​dependabot[bot] in #​5986
• chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in /hack/api-docs by @​dependabot[bot] in #​5992
• chore(deps): bump ubi9/ubi from b8923f5 to cecb1cd by @​dependabot[bot] in #​5984
• chore(deps): bump helm/kind-action from 1.13.0 to 1.14.0 by @​dependabot[bot] in #​5985
• chore(deps): bump actions/dependency-review-action from 4.8.2 to 4.8.3 by @​dependabot[bot] in #​5990
• chore(deps): bump github/codeql-action from 4.32.3 to 4.32.4 by @​dependabot[bot] in #​5989
• chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by @​dependabot[bot] in #​5987
• chore(deps): bump regex from 2026.1.15 to 2026.2.19 in /hack/api-docs by @​dependabot[bot] in #​5991
• chore(deps): bump actions/stale from 10.1.1 to 10.2.0 by @​dependabot[bot] in #​5988
• chore(deps): bump regex from 2026.2.19 to 2026.2.28 in /hack/api-docs by @​dependabot[bot] in #​6012
• chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in /hack/api-docs by @​dependabot[bot] in #​6014
• chore(deps): bump step-security/harden-runner from 2.14.2 to 2.15.0 by @​dependabot[bot] in #​6015
• chore(deps): bump anchore/sbom-action from 0.22.2 to 0.23.0 by @​dependabot[bot] in #​6016
• chore(deps): bump certifi from 2026.1.4 to 2026.2.25 in /hack/api-docs by @​dependabot[bot] in #​6013
• chore(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in #​6010
• chore(deps): bump hashicorp/setup-terraform from ce70bcf to 5e8dbf3 by @​dependabot[bot] in #​6011
• chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by @​dependabot[bot] in #​6009
• chore(deps): bump distroless/static from 972618c to 28efbe9 by @​dependabot[bot] in #​6008

New Contributors

• @​nutmos made their first contribution in #​5863
• @​rajsinghtech made their first contribution in #​5961
• @​illrill made their first contribution in #​5972
• @​Saku2 made their first contribution in #​5973
• @​greenmapc made their first contribution in #​5868

Full Changelog: external-secrets/external-secrets@v2.0.1...v2.1.0

v2.0.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.0.1
Image: ghcr.io/external-secrets/external-secrets:v2.0.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.0.1-ubi-boringssl

BREAKING CHANGE

The sprig update is actually a breaking change. It turns out that some of the functions in templating changed with this update.

What's Changed

General

• chore: release helm chart for v2.0.0 by @​Skarlso in #​5932
• docs: update the stability doc with the new version by @​Skarlso in #​5933
• chore(doc): add loblaw to adopter md by @​FZhg in #​5937
• chore: bump golang to 1.25.7 because of cve by @​Skarlso in #​5938
• fix: deleting the whole secret when it is empty by @​Skarlso in #​5927
• chore: update controller runtime by @​Skarlso in #​5930
• fix: update cosign and syft for signing by @​Skarlso in #​5958
• fix: the informer can not register use GetInformer instead by @​Skarlso in #​5931
• fix: attempt to fix cosign compatibility issues by @​gusfcarvalho in #​5959
• chore: remove outdated info from stability doc by @​Skarlso in #​5971
• chore(deps): update Masterminds/sprig to 8cb06fe… by @​tete17 in #​5747
• docs(release): Update support matrix by @​evrardjp in #​5978

Dependencies

• chore(deps): bump golang from 20c8a94 to f6751d8 by @​dependabot[bot] in #​5940
• chore(deps): bump ubi9/ubi from c8df11b to b8923f5 by @​dependabot[bot] in #​5939
• chore(deps): bump distroless/static from cd64bec to 972618c by @​dependabot[bot] in #​5941
• chore(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by @​dependabot[bot] in #​5942
• chore(deps): bump anchore/sbom-action from 0.22.1 to 0.22.2 by @​dependabot[bot] in #​5943
• chore(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 by @​dependabot[bot] in #​5944
• chore(deps): bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 by @​dependabot[bot] in #​5945
• chore(deps): bump fossas/fossa-action from 1.7.0 to 1.8.0 by @​dependabot[bot] in #​5946
• chore(deps): bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 by @​dependabot[bot] in #​5947
• chore(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @​dependabot[bot] in #​5965
• chore(deps): bump markdown from 3.10.1 to 3.10.2 in /hack/api-docs by @​dependabot[bot] in #​5968
• chore(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @​dependabot[bot] in #​5964
• chore(deps): bump platformdirs from 4.5.1 to 4.9.2 in /hack/api-docs by @​dependabot[bot] in #​5967
• chore(deps): bump pymdown-extensions from 10.20.1 to 10.21 in /hack/api-docs by @​dependabot[bot] in #​5969

New Contributors

• @​FZhg made their first contribution in #​5937

Full Changelog: external-secrets/external-secrets@v2.0.0...v2.0.1

v2.0.0

Compare Source

BREAKING CHANGE

Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42.

Image: ghcr.io/external-secrets/external-secrets:v2.0.0
Image: ghcr.io/external-secrets/external-secrets:v2.0.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringssl

What's Changed

General

• chore: bump charts to 1.3.2 by @​gusfcarvalho in #​5923
• feat(charts): add hostAliases support by @​janlauber in #​5866
• chore: remove unmaintained secret stores by @​Skarlso in #​5918
• docs(infisical): document al provider auth methods by @​varonix0 in #​5929
• chore: Get validating webhook failurePolicy for Secretstore dynamically by @​LochanRn in #​5605

New Contributors

• @​LochanRn made their first contribution in #​5605

Full Changelog: external-secrets/external-secrets@v1.3.2...v2.0.0

v1.3.2

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.3.2
Image: ghcr.io/external-secrets/external-secrets:v1.3.2-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringssl

What's Changed

General

• chore: release helm chart for v1.3.1 by @​Skarlso in #​5860
• chore(chart): Add missing tests for readinessProbe by @​jcpunk in #​5769
• docs: Update FluxCD example by @​umizoom in #​5862
• fix(ci): Removed the unused check for Windows in Makefile by @​HauptJ in #​5870
• docs(release): Add actual dates for EOL of 1.x releases in stability and support page by @​n4zukker in #​5889
• docs: Passbolt provider maintenance ownership by @​stripthis in #​5886
• chore: Update Passbolt MaintenanceStatus to MaintenanceStatusMaintained by @​stripthis in #​5887
• fix(security): sanitize json.Unmarshal errors to prevent secret data … by @​moolen in #​5884
• fix: webhook initialization order by @​gusfcarvalho in #​5901
• chore: Cleanup flags by @​evrardj-roche in #​5845
• fix: onepasswordsdk shared tenant by altering the provider in the client cache by @​Skarlso in #​5921

Dependencies

• chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by @​dependabot[bot] in #​5873
• chore(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/api-docs by @​dependabot[bot] in #​5877
• chore(deps): bump markdown from 3.10 to 3.10.1 in /hack/api-docs by @​dependabot[bot] in #​5880
• chore(deps): bump ubi9/ubi from 22e9573 to 1f84f5c by @​dependabot[bot] in #​5871
• chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @​dependabot[bot] in #​5872
• chore(deps): bump hashicorp/setup-terraform from 93d5a27 to dcc3150 by @​dependabot[bot] in #​5875
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​5876
• chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @​dependabot[bot] in #​5878
• chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by @​dependabot[bot] in #​5874
• chore(deps): bump packaging from 25.0 to 26.0 in /hack/api-docs by @​dependabot[bot] in #​5879
• chore(deps): bump golang from d9b2e14 to 98e6cff by @​dependabot[bot] in #​5907
• chore(deps): bump alpine from 865b95f to 2510918 in /hack/api-docs by @​dependabot[bot] in #​5914
• chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in #​5909
• chore(deps): bump actions/cache from 5.0.2 to 5.0.3 by @​dependabot[bot] in #​5912
• chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @​dependabot[bot] in #​5910
• chore(deps): bump hashicorp/setup-terraform from dcc3150 to ce70bcf by @​dependabot[bot] in #​5911
• chore(deps): bump ubi9/ubi from 1f84f5c to c8df11b by @​dependabot[bot] in #​5908
• chore(deps): bump alpine from 3.23.2 to 3.23.3 in /e2e by @​dependabot[bot] in #​5915
• chore(deps): bump alpine from 865b95f to 2510918 by @​dependabot[bot] in #​5906
• chore(deps): bump pathspec from 1.0.3 to 1.0.4 in /hack/api-docs by @​dependabot[bot] in #​5916
• chore(deps): bump babel from 2.17.0 to 2.18.0 in /hack/api-docs by @​dependabot[bot] in #​5917
• chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by @​dependabot[bot] in #​5913

New Contributors

• @​umizoom made their first contribution in #​5862
• @​HauptJ made their first contribution in #​5870
• @​n4zukker made their first contribution in #​5889
• @​stripthis made their first contribution in #​5886

Full Changelog: external-secrets/external-secrets@v1.3.1...v1.3.2

v1.3.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.3.1
Image: ghcr.io/external-secrets/external-secrets:v1.3.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringssl

For a Full release please referre to https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0. This is a fix build for the docker publish flow.

What's Changed

General

• fix: ignore the in-toto manifest when promoting the docker build by @​Skarlso in #​5859

Full Changelog: external-secrets/external-secrets@v1.3.0...v1.3.1

v1.2.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.2.1
Image: ghcr.io/external-secrets/external-secrets:v1.2.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.2.1-ubi-boringssl

What's Changed

General

• chore(chart): release helm chart 1.2.0 by @​jakobmoellerdev in #​5751
• fix: metrics not being correctly updated and deleted by @​Skarlso in #​5714
• feat(infisical): add caBundle and caProvider support by @​wi-adam in #​5770
• docs(apis): fix inaccurate SecretStore comments (v1 + v1beta1) by @​fallmo in #​5773
• fix: add missing link to the docs by @​Skarlso in #​5783
• fix: for target template parsing for complex matchers by @​Skarlso in #​5735
• fix: a lot of sonar issue fixes by @​Skarlso in #​5771

Dependencies

• chore(deps): bump golang from 2611181 to ac09a5f by @​dependabot[bot] in #​5758
• chore(deps): bump alpine from 3.23.0 to 3.23.2 in /e2e by @​dependabot[bot] in #​5764
• chore(deps): bump importlib-metadata from 8.7.0 to 8.7.1 in /hack/api-docs by @​dependabot[bot] in #​5768
• chore(deps): bump tornado from 6.5.3 to 6.5.4 in /hack/api-docs by @​dependabot[bot] in #​5767
• chore(deps): bump mkdocs-material from 9.7.0 to 9.7.1 in /hack/api-docs by @​dependabot[bot] in #​5766
• chore(deps): bump alpine from 51183f2 to 865b95f in /hack/api-docs by @​dependabot[bot] in #​5765
• chore(deps): bump alpine from 51183f2 to 865b95f by @​dependabot[bot] in #​5756
• chore(deps): bump ubi9/ubi from d4feb57 to 3816d30 by @​dependabot[bot] in #​5757
• chore(deps): bump peter-evans/slash-command-dispatch from 5.0.1 to 5.0.2 by @​dependabot[bot] in #​5763
• chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in #​5762
• chore(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 by @​dependabot[bot] in #​5761
• chore(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @​dependabot[bot] in #​5760
• chore(deps): bump hashicorp/setup-terraform from 071811a to 92e4d08 by @​dependabot[bot] in #​5759
• chore(deps): bump anchore/sbom-action from 0.20.11 to 0.21.0 by @​dependabot[bot] in #​5784

New Contributors

• @​wi-adam made their first contribution in #​5770
• @​fallmo made their first contribution in #​5773

Full Changelog: external-secrets/external-secrets@v1.2.0...v1.2.1

v1.2.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.2.0
Image: ghcr.io/external-secrets/external-secrets:v1.2.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.2.0-ubi-boringssl

What's Changed

General

• chore: bump 1.1.1 by @​gusfcarvalho in #​5687
• chore: fix the argocd e2e test case by @​Skarlso in #​5688
• feat(provider): add Barbican provider support by @​rkferreira in #​5398
• docs(secretserver): promote secretserver provider to beta by @​DelineaSahilWankhede in #​5668
• feat(controller): add flag to enable/disable secretstore reconcile by @​Ilhan-Personal in #​5653
• fix(aws-secrets-manager): Apply filtering based on both name and tags if provided by @​iypetrov in #​5685
• fix(gcpsm): SecretExists should check for regional secrets when store location is specified by @​tokiwong in #​5708
• feat: introduce store deprecation by @​gusfcarvalho in #​5711
• feat(charts): add global values for common deployment configurations by @​Gabryel8818 in #​5652
• feat: add Doppler OIDC-based authentication by @​mikesellitto in #​5475
• fix: make custom configuration available regardless of environment by @​Skarlso in #​5713
• chore(chart): update bitwarden dependency to v0.5.2 by @​Skarlso in #​5719
• docs(templating): update rbac for generic targets by @​lostick in #​5736
• fix(testing): Breaking changes should not break ci by @​evrardjp in #​5739
• fix(security): Get rid of getSecretKey by @​evrardjp in #​5738
• fix(aws): parse resource policies into canonical JSON (sorted) before comparing by @​cmoscofian in #​5622
• docs: Fix example in GCP documentation by @​headcr4sh in #​5745
• chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by @​DelineaSahilWankhede in #​5742
• fix(gcpsm): Improve SecretExists method in GCP secret manager provider by @​tosih in #​5610
• chore(docs): add clarification to helm values being disabled by @​Skarlso in #​5746
• fix(release): apply 64dc681 to release by @​jakobmoellerdev in #​5749
• docs(release): 1.2 stability-support.md by @​jakobmoellerdev in #​5750

Dependencies

• chore(deps): bump golang from 1.25.4 to 1.25.5 by @​dependabot[bot] in #​5693
• chore(deps): bump golang from 1.25.4-bookworm to 1.25.5-bookworm in /e2e by @​dependabot[bot] in #​5702
• chore(deps): bump ubi9/ubi from dcd8128 to 75937d9 by @​dependabot[bot] in #​5655
• chore(deps): bump peter-evans/slash-command-dispatch from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​5695
• chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by @​dependabot[bot] in #​5696
• chore(deps): bump actions/stale from 10.1.0 to 10.1.1 by @​dependabot[bot] in #​5697
• chore(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 by @​dependabot[bot] in #​5700
• chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by @​dependabot[bot] in #​5698
• chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​5699
• chore(deps): bump platformdirs from 4.5.0 to 4.5.1 in /hack/api-docs by @​dependabot[bot] in #​5705
• chore(deps): bump distroless/static from 87bce11 to 4b2a093 by @​dependabot[bot] in #​5692
• chore(deps): bump alpine from 3.22 to 3.23 in /hack/api-docs by @​dependabot[bot] in #​5703
• chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs by @​dependabot[bot] in #​5704
• chore(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/api-docs by @​dependabot[bot] in #​5706
• chore(deps): bump alpine from 3.22.2 to 3.23.0 in /e2e by @​dependabot[bot] in #​5701
• chore(deps): bump golang from 2611181 to 2611181 by @​dependabot[bot] in #​5721
• chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by @​dependabot[bot] in #​5725
• chore(deps): bump urllib3 from 2.6.0 to 2.6.2 in /hack/api-docs by @​dependabot[bot] in #​5730
• chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @​dependabot[bot] in #​5726
• chore(deps): bump anchore/sbom-action from 0.20.10 to 0.20.11 by @​dependabot[bot] in #​5724
• chore(deps): bump tornado from 6.5.2 to 6.5.3 in /hack/api-docs by @​dependabot[bot] in #​5732
• chore(deps): bump ubi9/ubi from 75937d9 to d4feb57 by @​dependabot[bot] in #​5722
• chore(deps): bump golang from 5117d68 to 09f53de in /e2e by @​dependabot[bot] in #​5729
• chore(deps): bump alpine from 4b7ce07 to 51183f2 by @​dependabot[bot] in #​5694
• chore(deps): bump hashicorp/setup-terraform from 712b439 to 071811a by @​dependabot[bot] in #​5727
• chore(deps): bump pymdown-extensions from 10.18 to 10.19.1 in /hack/api-docs by @​dependabot[bot] in #​5731
• chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by @​dependabot[bot] in #​5728
• chore(deps): bump actions/cache from 4.3.0 to 5.0.1 by @​dependabot[bot] in #​5723

New Contributors

• @​iypetrov made their first contribution in #​5685
• @​tokiwong made their first contribution in #​5708
• @​Gabryel8818 made their first contribution in #​5652
• @​mikesellitto made their first contribution in #​5475
• @​lostick made their first contribution in #​5736
• @​cmoscofian made their first contribution in #​5622
• @​headcr4sh made their first contribution in #​5745
• @​tosih made their first contribution in #​5610

Full Changelog: external-secrets/external-secrets@v1.1.1...v1.2.0

v1.1.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.1.1
Image: ghcr.io/external-secrets/external-secrets:v1.1.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.1.1-ubi-boringssl

What's Changed

General

• chore(chart): release helm chart 1.1.0 by @​Skarlso in #​5619
• docs: improve spec.md by exporting generator types by @​gusfcarvalho in #​5624
• chore(deps): remove sprig fork by @​Skarlso in #​5626
• fix: report 404 secrets correctly in Gitlab provider by @​alekc in #​5104
• docs(secretserver): update documentation to include Platform compatibility by @​DelineaSahilWankhede in #​5546
• docs: add llm policy by @​Skarlso in #​5649
• fix: pass in the token to the build and publish container by @​Skarlso in #​5651
• test(secretserver): improve test coverage for SecretServer provider by @​DelineaSahilWankhede in #​5641
• fix: docs pipeline by @​rkferreira in #​5663
• fix: modify the url of the remote to include the token by @​Skarlso in #​5664
• feat(helm): add dynamic labelSelector if not define in topologySpread… by @​fe80 in #​5065
• feat: Support retry settings for Doppler provider by @​maduonline in #​5608
• feat(beyondtrust): enable pushing secrets in BeyondTrust provider by @​btfhernandez in #​5586
• fix: correctly merge map fields during templating by @​Skarlso in #​5671
• fix: use patch instead of update for finalizers addition and removal by @​Skarlso in #​5670
• feat(oracle): implement SecretExists by @​anders-swanson in #​5672
• fix(security): create provider for webhook & fake by @​ShimonDarshan in #​5628
• fix: set client transport to use GitHub Enterprise URL by @​fred-gagnon in #​5662
• feat(generator): Password generator can generate and expose multiple passwords by @​Trojanekkk in #​5669
• fix: run check diff on main by @​Skarlso in #​5681
• feat: bitwardenServerSDKURL is required for bitwardensecretsmanager by @​budimanjojo in #​5679
• fix: update the refreshInterval formatting everywhere by @​Skarlso in #​5680
• clean: Update conjur-api-go; Disable credential storage by @​szh in #​5648
• fix: add live-reload to make docs.serve by @​gusfcarvalho in #​5676
• fix: remove cached artifacts after build by @​gusfcarvalho in #​5686
• fix(keepersecurity): properly handle fields key by @​pepordev in #​5674

Dependencies

• chore(deps): bump golang from d3f0cf7 to d3f0cf7 by @​dependabot[bot] in #​5630
• chore(deps): bump golang from 7419f54 to e174196 in /e2e by @​dependabot[bot] in #​5638
• chore(deps): bump zizmorcore/zizmor-action from 0.2.0 to 0.3.0 by @​dependabot[bot] in #​5637
• chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​5636
• chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 by @​dependabot[bot] in #​5635
• chore(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.0 by @​dependabot[bot] in #​5634
• chore(deps): bump github/codeql-action from 4.31.3 to 4.31.4 by @​dependabot[bot] in #​5633
• chore(deps): bump aws-actions/configure-aws-credentials from f2964c7 to 4a54c24 by @​dependabot[bot] in #​5632
• chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​5631
• chore(deps): bump pymdown-extensions from 10.17.1 to 10.17.2 in /hack/api-docs by @​dependabot[bot] in #​5660
• chore(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0 by @​dependabot[bot] in #​5656
• chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​5657
• chore(deps): bump peter-evans/slash-command-dispatch from 4.0.0 to 5.0.0 by @​dependabot[bot] in #​5658
• chore(deps): bump hashicorp/setup-terraform from 4c5fdab to 712b439 by @​dependabot[bot] in #​5659

New Contributors

• @​fe80 made their first contribution in #​5065
• @​maduonline made their first contribution in #​5608
• [@​fred-gagnon](

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[flkr-23]

--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets

+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets HelmRelease: external-secrets/external-secrets

@@ -13,13 +13,13 @@

     spec:
       chart: external-secrets
       sourceRef:
         kind: HelmRepository
         name: external-secrets
         namespace: flux-system
-      version: 0.16.1
+      version: 2.1.0
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[flkr-23]

--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-cert-controller

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-cert-controller

@@ -42,12 +42,20 @@

   - endpoints
   verbs:
   - list
   - get
   - watch
 - apiGroups:
+  - discovery.k8s.io
+  resources:
+  - endpointslices
+  verbs:
+  - list
+  - get
+  - watch
+- apiGroups:
   - ''
   resources:
   - events
   verbs:
   - create
   - patch
--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-controller

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-controller

@@ -60,24 +60,27 @@

   - delete
   - deletecollection
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - cloudsmithaccesstokens
   - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - quayaccesstokens
   - passwords
+  - sshkeys
   - stssessiontokens
   - uuids
   - vaultdynamicsecrets
   - webhooks
   - grafanas
+  - mfas
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
@@ -85,12 +88,19 @@

   - serviceaccounts
   - namespaces
   verbs:
   - get
   - list
   - watch
+- apiGroups:
+  - ''
+  resources:
+  - namespaces
+  verbs:
+  - update
+  - patch
 - apiGroups:
   - ''
   resources:
   - configmaps
   verbs:
   - get
--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-view

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-view

@@ -24,22 +24,26 @@

   - watch
   - list
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - cloudsmithaccesstokens
   - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - quayaccesstokens
   - passwords
+  - sshkeys
   - vaultdynamicsecrets
   - webhooks
   - grafanas
   - generatorstates
+  - mfas
+  - uuids
   verbs:
   - get
   - watch
   - list
 
--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-edit

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-edit

@@ -25,23 +25,27 @@

   - patch
   - update
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - cloudsmithaccesstokens
   - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - quayaccesstokens
   - passwords
+  - sshkeys
   - vaultdynamicsecrets
   - webhooks
   - grafanas
   - generatorstates
+  - mfas
+  - uuids
   verbs:
   - create
   - delete
   - deletecollection
   - patch
   - update
--- HelmRelease: external-secrets/external-secrets Service: external-secrets/external-secrets-webhook

+++ HelmRelease: external-secrets/external-secrets Service: external-secrets/external-secrets-webhook

@@ -10,13 +10,13 @@

     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
   type: ClusterIP
   ports:
   - port: 443
-    targetPort: 10250
+    targetPort: webhook
     protocol: TCP
     name: webhook
   selector:
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: external-secrets
 
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-cert-controller

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.16.1
+        image: ghcr.io/external-secrets/external-secrets:v2.1.0
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=external-secrets
@@ -48,17 +48,21 @@

         - --secret-namespace=external-secrets
         - --metrics-addr=:8080
         - --healthz-addr=:8081
         - --loglevel=info
         - --zap-time-encoding=epoch
         - --enable-partial-cache=true
+        - --enable-leader-election=true
         ports:
         - containerPort: 8080
           protocol: TCP
           name: metrics
+        - containerPort: 8081
+          protocol: TCP
+          name: ready
         readinessProbe:
           httpGet:
-            port: 8081
+            port: ready
             path: /readyz
           initialDelaySeconds: 20
           periodSeconds: 5
 
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.16.1
+        image: ghcr.io/external-secrets/external-secrets:v2.1.0
         imagePullPolicy: IfNotPresent
         args:
         - --enable-leader-election=true
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-webhook

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.16.1
+        image: ghcr.io/external-secrets/external-secrets:v2.1.0
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.external-secrets.svc
         - --cert-dir=/tmp/certs
@@ -53,15 +53,18 @@

         - containerPort: 8080
           protocol: TCP
           name: metrics
         - containerPort: 10250
           protocol: TCP
           name: webhook
+        - containerPort: 8081
+          protocol: TCP
+          name: ready
         readinessProbe:
           httpGet:
-            port: 8081
+            port: ready
             path: /readyz
           initialDelaySeconds: 20
           periodSeconds: 5
         volumeMounts:
         - name: certs
           mountPath: /tmp/certs
--- HelmRelease: external-secrets/external-secrets ValidatingWebhookConfiguration: external-secrets/secretstore-validate

+++ HelmRelease: external-secrets/external-secrets ValidatingWebhookConfiguration: external-secrets/secretstore-validate

@@ -29,12 +29,13 @@

       path: /validate-external-secrets-io-v1-secretstore
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: Fail
 - name: validate.clustersecretstore.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
     - v1