Update Helm release external-secrets to v0.16.1 (main)

Sylva Renovate botrequested to merge
renovate/main-external-secrets-0.x into main

This MR contains the following updates:

Package Update Change
external-secrets minor 0.15.1 -> 0.16.1

Release Notes

external-secrets/external-secrets (external-secrets)

v0.16.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.1 Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi-boringssl

What's Changed

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.16.0...v0.16.1

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@​=="valpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]'

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed. Double check your CRD installation process finished successfully

v0.16.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.0 Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi-boringssl

!!! warning it is known v0.16.0 will not be an easy upgrade if you're not consuming from our official sources via helm. we are improving the upgrade path for users depending on kustomize in 0.16.1. Please be patient :)

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@&#8203;=="valpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]'

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed. Double check your CRD installation process finished successfully

spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

Use 0.16.1 as opposed to 0.16.0 on your installation path. That should be fixed on this release

My issue is not here What do I do?

Add a message to https://github.com/external-secrets/external-secrets/issues/4662

BREAKING CHANGES

This release introduces quite a few breaking changes, including:

  • Removal of Conversion Webhooks and SecretStore/v1alpha1, ExternalSecret/v1alpha1 and their cluster counterparts
  • Promotion of ExternalSecret/v1 and SecretStore/v1 and their cluster counterparts
  • Removal of v1 templating engine
  • Removal of ValueMaps from Fake Secret Store

if you have any issues during your upgrade, please check https://github.com/external-secrets/external-secrets/issues/4662

What's Changed

New Contributors

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.15.1...v0.16.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot Sylva instance.

CI configuration couldn't be handle by MR description. A dedicated comment has been posted to control it.

If no checkbox is checked, a default pipeline will be enabled (capm3, or capo if capo label is set)

Edited by Sylva Renovate bot

Merge request reports