Update Helm release external-secrets to v0.12.1
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| external-secrets | minor |
0.10.7 -> 0.12.1
|
Release Notes
external-secrets/external-secrets (external-secrets)
v0.12.1
RELEASE VERSION
My apologies, when creating the release, 0.12.0 failed. The branch and tag however, have been created and I was unable to delete them. Thus, the version has been increased to 0.12.1 after the fix and now that's the current version. I hand updated the release notes to include everyone into the changes.
BREAKING CHANGES
The following breaking changes have been introduced into this release:
- Permission update for AWS provider adding BulkFetch when getting multiple secrets ( significant API reduce but comes with adding a permission for bulk endpoint )
- fixed a typo for a generator in the json tag where before it was
ecrRAuthorizationTokenSpecwith an extra R - We standardized the GCP Secrets Manager Metadata structure for PushSecrets ( be aware that existing manifests will stop working until updated to the standardized version ) for more info see https://github.com/external-secrets/external-secrets/pull/4210
Images
Image: ghcr.io/external-secrets/external-secrets:v0.12.1
Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi-boringssl
What's Changed
- chore(deps): bump ubi8/ubi from
7287624to37cdac4by @dependabot in https://github.com/external-secrets/external-secrets/pull/4245 - revert: softprops update failing the release process by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4248
- chore: bump helm chart version v0.11.0 by @Skarlso https://github.com/external-secrets/external-secrets/pull/4166
- chore(deps): bump mkdocs-material in /hack/api-docs by @dependabot https://github.com/external-secrets/external-secrets/pull/4165
- chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4169
- Gc/fix clusterexternalsecret metrics by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4170
- chore(deps): bump distroless/static from
f4a57e8to5c7e2b4by @dependabot https://github.com/external-secrets/external-secrets/pull/4164 - chore: deprecate olm proposal by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4175
- fix: error handling for gitlab variable fetch by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4177
- fix: v1 templates with metadata + always cleanup orphaned secrets by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4174
- fix: handle empty template engine version by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4182
- chore(deps): bump actions/cache from 4.1.2 to 4.2.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4190
- chore(deps): bump actions/attest-build-provenance from 1.4.4 to 2.0.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4189
- chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4188
- update dependencies in https://github.com/external-secrets/external-secrets/pull/4196
- chore(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4187
- chore(deps): bump alpine from 3.20.3 to 3.21.0 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4184
- chore(deps): bump golang from 1.23.3-bookworm to 1.23.4-bookworm by @dependabot in https://github.com/external-secrets/external-secrets/pull/4185
- chore(deps): bump alpine from 3.20 to 3.21 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4186
- chore(deps): bump alpine from
1e42bbeto21dc606by @dependabot in https://github.com/external-secrets/external-secrets/pull/4191 - chore(deps): bump golang from 1.23.3 to 1.23.4 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4192
- chore(deps): bump six from 1.16.0 to 1.17.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4193
- chore(deps): bump mkdocs-material in /hack/api-docs by dependabot in by @dependabot in https://github.com/external-secrets/external-secrets/pull/4194
- feat: 1password add support for tags and configurable PushSecret vault by @Dariusch (#4173)
- fix: ensure existing labels are retained for secrets in GCP secrets by @newtondev (#4160)
- fix: return not found error when there is no secret for vault provider by @Skarlso (#4183)
- fix: error in order of function call UpdateEnvironment by @dirien (#4201)
- BREAKING: Standardize GCP Secret Manager PushSecret metadata format and add CMEK support @janlauber in (#4210)
- docs: add raw markdown tags to PushSecret example in Google Secrets Manager documentation by @janlauber in (#4213)
- Design/target custom resources by @gusfcarvalho (#3449)
- chore(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot (#4215)
- chore(deps): bump actions/attest-build-provenance from 2.0.1 to 2.1.0 by @dependabot in (#4216)
- feat: update to use Batch value get instead of List and Fetch all secrets for AWS provider by @Skarlso in (#4181)
- fix: increase default QPS/Burst to 50/100 by @thesuperzapper (#4202)
- chore(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 by @dependabot (#4217)
- chore(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot (#4218)
- chore(deps): bump certifi from 2024.8.30 to 2024.12.14 by @dependabot
- chore(deps): bump golang from
6c5c959to6c5c959by @dependabot (#4220) - chore: update dependencies by @eso-service-account-app (#4223)
- Add AWS ECR Public authorization token support by @pmcenery (#4229)
- fix: typo in the ecrAuthorizationTokenSpec json tag by @Skarlso (#4212)
- feat: fix a bunch of Sonar issues by @Skarlso (#4208)
- fix: Dockerfile.ubi using the wrong registry by @Skarlso (#4234)
- feat: add filterCertChain template helper function by @sboschman (#3934)
- fix: SonarCloud security hotspot by @Skarlso in (#4235)
Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.11.0...v0.12.1
v0.11.0
Deprecation of OLM Releases
As of 0.11.0 is the last release available for OLM until further notice. Depending on the way this goes, we might still have OLM support (ideally with a properly built operator for that), but for sure in a different support scheme as to not overload maintainers anymore.
Also a valid note - you can still use 0.11.0 OLM release and the newest ESO images, you just need to set image.tag appropriately in your setup.
Kubernetes API load and significant decrease
A new way of reconciling external secrets has been added with pull request #4086.
This significantly reduces the number of API calls that we make to the kubernetes API server.
- Memory usage might increase if you are not already using
--enable-secrets-caching- If you are using
--enable-secrets-cachingand want to decrease memory usage at the expense of slightly higher API usage, you can disable it and only enable--enable-managed-secrets-caching(which is the new default)
- If you are using
- In ALL cases (even when CreationPolicy is Merge), if a data key in the target Secret was created by the ExternalSecret, and it no longer exists in the template (or data/dataFrom), it will be removed from the target secret:
- This might cause some peoples secrets to be "cleaned of data keys" when updating to 0.11.
- Previously, the behaviour was undefined, and confusing because it was sort of broken when the template feature was added.
- The one exception is that ALL the data suddenly becomes empty and the DeletionPolicy is retain, in which case we will not even report and error, just change the SecretSynced message to explain that the secret was retained.
- When CreationPolicy is Owner, we now will NEVER retain any keys and fully calculate the "desired state" of the target secret each loop:
- This means that some peoples secrets might have keys removed when updating to 0.11.
Generators and ClusterGenerator
We added ClusterGenerators and Generator caching as well. This might create some problems in the way generators are defined now.
CRD Admission Restrictions
All of the CRDs now have proper kubebuilder markers for validation. This might surprise someone leaving out some data that was essentially actually required or expected in a certain format. This is now validated in #4104.
Images
Image: ghcr.io/external-secrets/external-secrets:v0.11.0
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi-boringssl
What's Changed
- chore: bump version v0.10.7 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4141
- feat: significantly reduce api calls and introduce partial secret cache by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4086
- chore(deps): bump mkdocs-material from 9.5.44 to 9.5.45 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4143
- chore(deps): bump tornado from 6.4.1 to 6.4.2 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4144
- chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4145
- chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4146
- chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4147
- chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4148
- fix: gitlab empty response by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4152
- feat: add ability to push expiration date to secret in azure key vault by @deggja in https://github.com/external-secrets/external-secrets/pull/4149
- feat: implement a cluster-wide generator by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4140
- feat: Add API key auth support on BeyondTrust provider by @dtejadav in https://github.com/external-secrets/external-secrets/pull/4101
- Add support for multiple Items fields in DelineSecretServer secrets by @ronaldosaheki in https://github.com/external-secrets/external-secrets/pull/4051
- chore: deprecation policy and deprecating process by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4154
- fix: use cache when retrieving generators by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4153
- fix: e2e test for AWS not setting name and namespace by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4157
- fix: handle managed identity ClientID or ResourceID in acr generator by @bonddim in https://github.com/external-secrets/external-secrets/pull/4150
- feat: add CRD validation for resource name/key fields by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4104
- fix: issues with generators by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4163
New Contributors
- @thesuperzapper made their first contribution in https://github.com/external-secrets/external-secrets/pull/4086
- @deggja made their first contribution in https://github.com/external-secrets/external-secrets/pull/4149
- @dtejadav made their first contribution in https://github.com/external-secrets/external-secrets/pull/4101
- @ronaldosaheki made their first contribution in https://github.com/external-secrets/external-secrets/pull/4051
- @bonddim made their first contribution in https://github.com/external-secrets/external-secrets/pull/4150
Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.10.7...v0.11.0
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.
Edited by Sylva Renovate bot