Skip to content

chore(chart-deps): update external-secrets to version 2.5.0 #3253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
svcAPLBot wants to merge 18 commits into
base: main
Choose a base branch
from
Open

chore(chart-deps): update external-secrets to version 2.5.0 #3253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
36d0045
chore(chart-deps): update external-secrets to version 2.5.0
svcAPLBot May 16, 2026
282dd2c
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 19, 2026
953bae5
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 19, 2026
28d6477
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 19, 2026
1c29e3b
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 20, 2026
2cd3bd9
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 20, 2026
b1b055f
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 20, 2026
2149e00
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 20, 2026
10535cf
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
f3a28a2
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
47aa7a4
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
5f5a23f
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
ddcb348
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
d53e7da
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
227daf7
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
b307a20
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 26, 2026
1877828
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 27, 2026
7935df6
Merge branch 'main' into ci-update-external-secrets-to-2.5.0
svcAPLBot May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion chart/chart-index/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ dependencies:
version: 1.21.1
repository: https://kubernetes-sigs.github.io/external-dns
- name: external-secrets
version: 2.4.1
version: 2.5.0
repository: https://charts.external-secrets.io
- name: gitea
version: 12.5.3
Expand Down
4 changes: 2 additions & 2 deletions charts/external-secrets/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v2
appVersion: v2.4.1
appVersion: v2.5.0
dependencies:
- condition: bitwarden-sdk-server.enabled
name: bitwarden-sdk-server
Expand All @@ -17,4 +17,4 @@ maintainers:
name: mcavoyk
name: external-secrets
type: application
version: 2.4.1
version: 2.5.0
16 changes: 14 additions & 2 deletions charts/external-secrets/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

[//]: # (README.md generated by gotmpl. DO NOT EDIT.)

![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.4.1](https://img.shields.io/badge/Version-2.4.1-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square)

External secrets management for Kubernetes

Expand Down Expand Up @@ -61,7 +61,12 @@ The command removes all the Kubernetes components associated with the chart and
| certController.livenessProbe.successThreshold | int | `1` | |
| certController.livenessProbe.timeoutSeconds | int | `5` | |
| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the Certificate Controller |
| certController.metrics.listen.auth.enabled | bool | `false` | Enable Kubernetes RBAC-based authentication for certController's metrics endpoint. Requires certController.metrics.listen.secure to be true. Default value is false. |
| certController.metrics.listen.port | int | `8080` | |
| certController.metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path |
| certController.metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path |
| certController.metrics.listen.secure.enabled | bool | `false` | |
| certController.metrics.listen.secure.keyFile | string | `"/etc/tls/tls.key"` | TLS key file path |
| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
Expand Down Expand Up @@ -170,6 +175,7 @@ The command removes all the Kubernetes components associated with the chart and
| livenessProbe.spec.successThreshold | int | `1` | Number of successful probes to mark probe successful. |
| livenessProbe.spec.timeoutSeconds | int | `5` | Specify the maximum amount of time to wait for a probe to respond before considering it fails. |
| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the External Secrets Operator |
| metrics.listen.auth.enabled | bool | `false` | Enable Kubernetes RBAC-based authentication for metrics endpoint. Requires metrics.listen.secure to be true. Default value is false. |
| metrics.listen.port | int | `8080` | |
| metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path |
| metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path |
Expand Down Expand Up @@ -197,6 +203,7 @@ The command removes all the Kubernetes components associated with the chart and
| rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole |
| rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole |
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| rbac.serviceAccountTokenCreate | bool | `true` | Specifies whether the serviceaccounts/token create permission is included in the controller RBAC. When set to false, users must create per-ServiceAccount Role/RoleBinding with resourceNames constraint to grant ESO token creation for specific ServiceAccounts referenced in SecretStore specs. |
| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
| readinessProbe.enabled | bool | `false` | Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port. |
| readinessProbe.spec | object | `{"failureThreshold":3,"httpGet":{"path":"/readyz","port":"live"},"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}` | The body of the readiness probe settings (standard Kubernetes probe spec). |
Expand All @@ -212,7 +219,7 @@ The command removes all the Kubernetes components associated with the chart and
| resources | object | `{}` | |
| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| scopedRBAC | bool | `false` | If true, create scoped RBAC roles and implicitly disable cluster-scoped controllers. Scoped to scopedNamespace if set, otherwise to .Release.Namespace. |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.enabled | bool | `true` | |
Expand Down Expand Up @@ -282,7 +289,12 @@ The command removes all the Kubernetes components associated with the chart and
| webhook.livenessProbe.timeoutSeconds | int | `5` | |
| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifies Log Params to the Webhook |
| webhook.lookaheadInterval | string | `""` | Specifies the lookaheadInterval for certificate validity |
| webhook.metrics.listen.auth.enabled | bool | `false` | Enable Kubernetes RBAC-based authentication for webhook's metrics endpoint. Requires webhook.metrics.listen.secure to be true. Default value is false. |
| webhook.metrics.listen.port | int | `8080` | |
| webhook.metrics.listen.secure.certDir | string | `"/etc/tls"` | TLS cert directory path |
| webhook.metrics.listen.secure.certFile | string | `"/etc/tls/tls.crt"` | TLS cert file path |
| webhook.metrics.listen.secure.enabled | bool | `false` | |
| webhook.metrics.listen.secure.keyFile | string | `"/etc/tls/tls.key"` | TLS key file path |
| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
Expand Down
129 changes: 127 additions & 2 deletions charts/external-secrets/crds/clustersecretstore.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,16 @@ spec:
type: object
type: object
type: object
customSessionTags:
additionalProperties:
type: string
description: |-
CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
type: object
x-kubernetes-validations:
- message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
externalID:
description: AWS External ID set on assumed IAM roles
type: string
Expand Down Expand Up @@ -543,6 +553,19 @@ spec:
- value
type: object
type: array
sessionTagsPolicy:
default: None
description: |-
SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
None (default): no tags are added.
Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
enum:
- None
- Simple
- Custom
type: string
transitiveTagKeys:
description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
items:
Expand Down Expand Up @@ -1997,6 +2020,18 @@ spec:
credential_source.url in the provided credConfig. This field is merely to double-check the external token source
URL is having the expected value.
type: string
gcpServiceAccountEmail:
description: |-
GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
after Workload Identity Federation. Use this to grant access through the service account's
IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
service_account_impersonation_url in the external account JSON from credConfig;
when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
on that ServiceAccount.
example: my-gsa@my-project.iam.gserviceaccount.com
minLength: 1
pattern: ^.*@.*\.iam\.gserviceaccount\.com$
type: string
serviceAccountRef:
description: |-
serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
Expand Down Expand Up @@ -4225,7 +4260,10 @@ spec:
description: Pulumi configures this store to sync secrets using the Pulumi provider
properties:
accessToken:
description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
description: |-
AccessToken is the access tokens to sign in to the Pulumi Cloud Console.

Deprecated: Use auth.accessToken instead.
properties:
secretRef:
description: SecretRef is a reference to a secret containing the Pulumi API token.
Expand Down Expand Up @@ -4258,6 +4296,91 @@ spec:
default: https://api.pulumi.com/api/esc
description: APIURL is the URL of the Pulumi API.
type: string
auth:
description: |-
Auth configures how the Operator authenticates with the Pulumi API.
Either auth or the deprecated accessToken field must be specified.
properties:
accessToken:
description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
properties:
secretRef:
description: SecretRef is a reference to a secret containing the Pulumi API token.
properties:
key:
description: |-
A key in the referenced Secret.
Some instances of this field may be defaulted, in others it may be required.
maxLength: 253
minLength: 1
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the Secret resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
The namespace of the Secret resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: object
type: object
oidcConfig:
description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
properties:
expirationSeconds:
default: 600
description: |-
ExpirationSeconds sets the token validity duration for service account and OIDC token.
Defaults to 10 minutes.
format: int64
minimum: 600
type: integer
organization:
description: Organization is the name of the Pulumi organization configured for OIDC authentication.
type: string
serviceAccountRef:
description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: |-
Namespace of the resource being referred to.
Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
required:
- organization
- serviceAccountRef
type: object
type: object
x-kubernetes-validations:
- message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
environment:
description: |-
Environment are YAML documents composed of static key-value pairs, programmatic expressions,
Expand All @@ -4274,11 +4397,13 @@ spec:
description: Project is the name of the Pulumi ESC project the environment belongs to.
type: string
required:
- accessToken
- environment
- organization
- project
type: object
x-kubernetes-validations:
- message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
scaleway:
description: Scaleway configures this store to sync secrets using the Scaleway provider.
properties:
Expand Down
12 changes: 12 additions & 0 deletions charts/external-secrets/crds/gcraccesstoken.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,18 @@ spec:
credential_source.url in the provided credConfig. This field is merely to double-check the external token source
URL is having the expected value.
type: string
gcpServiceAccountEmail:
description: |-
GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
after Workload Identity Federation. Use this to grant access through the service account's
IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
service_account_impersonation_url in the external account JSON from credConfig;
when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
on that ServiceAccount.
example: my-gsa@my-project.iam.gserviceaccount.com
minLength: 1
pattern: ^.*@.*\.iam\.gserviceaccount\.com$
type: string
serviceAccountRef:
description: |-
serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
Expand Down
Loading
Loading