Update dependency external-secrets/external-secrets to v0.18.0 (!277) · Merge requests · Sylva-projects / sylva-elements / workload-cluster-operator

This MR contains the following updates:

Package	Type	Update	Change
external-secrets/external-secrets	Kustomization	minor	`v0.10.7` -> `v0.18.0`

Release Notes

external-secrets/external-secrets (external-secrets/external-secrets)

`v0.18.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.18.0 NOTE - the following UBI images are not currently working (broken build process). Image: ghcr.io/external-secrets/external-secrets:v0.18.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.18.0-ubi-boringssl

Potential Breaking Changes

This version includes a massive refactor of the AWS providers. Now, they are finally using V2 and thus opened some regions and are more maintainable. Massive thanks goes to @Ilhan-Personal for this work. We really appreciate all the effort that went into this. Thank you!

Further update has been done to 1Password provider SDK. Now, GetSecretMap functions the same way as 1Password connect. Which is that it uses extract to filter for files or other values.

Image: ghcr.io/external-secrets/external-secrets:v0.17.0 Image: ghcr.io/external-secrets/external-secrets:v0.17.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.17.0-ubi-boringssl

BREAKING CHANGE

v0.17.0 Stops serving v1beta1 apis. You need to update your manifests from v1beta1 to v1 prior to updating from v0.16 to v0.17.

The only change needed is upgrading your manifests to v1 (i.e. removing the beta1 from v1beta1).

Be sure to do that to all your manifests prior to bumping to v0.17.0! v0.16.2 already supports v1 so this process should be smooth.

What's Changed

chore: update helm charts v0.16.2 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4748
fix: typo on delete method for repo by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4750
fix: Show Errors from Github by @Alexander-Cairns in https://github.com/external-secrets/external-secrets/pull/4753
doc(openbao): add information about it working with vault provider by @eyenx in https://github.com/external-secrets/external-secrets/pull/4755
Gc/fix/gcp pushsecret location replication by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4751
chore: unserve v1beta1 and mark it as deprecated by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4758
fix: not releasing helm charts when its already released by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4771
fix: remove comment from helm by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4772
infisical: support secrets within paths for data references by @lgo in https://github.com/external-secrets/external-secrets/pull/4305
chore(deps): bump pyyaml-env-tag from 0.1 to 1.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4761
chore(deps): bump platformdirs from 4.3.7 to 4.3.8 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4762
chore(deps): bump mkdocs-material from 9.6.12 to 9.6.13 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4763
chore(deps): bump golang from 1.24.2 to 1.24.3 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4764
chore(deps): bump golang from 1.24.2-bookworm to 1.24.3-bookworm in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4765
chore(deps): bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4766
Cache separate vault clients for each namespace if necessary by @ChristianCiach in https://github.com/external-secrets/external-secrets/pull/4706
chore(deps): bump dependabot/fetch-metadata from 2.3.0 to 2.4.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4768
feat: improve code integration api by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4777
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4770
chore(deps): bump actions/dependency-review-action from 67d4f4b to 8805179 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4767
fix: adds releases to stability and support by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4776
Update docs/example for ECR token generator by @Moulick in https://github.com/external-secrets/external-secrets/pull/4773
feat: add 1Password SDK based provider by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4628
chore: updates stability support for 0.17.0 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4779
fix: update provider examples to use apiVersion external-secrets.io/v1 by @rowanruseler in https://github.com/external-secrets/external-secrets/pull/4757

New Contributors

@Alexander-Cairns made their first contribution in https://github.com/external-secrets/external-secrets/pull/4753
@eyenx made their first contribution in https://github.com/external-secrets/external-secrets/pull/4755
@ChristianCiach made their first contribution in https://github.com/external-secrets/external-secrets/pull/4706
@Moulick made their first contribution in https://github.com/external-secrets/external-secrets/pull/4773
@rowanruseler made their first contribution in https://github.com/external-secrets/external-secrets/pull/4757

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.16.2...v0.17.0

`v0.16.2`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.2 Image: ghcr.io/external-secrets/external-secrets:v0.16.2-ubi Image: ghcr.io/external-secrets/external-secrets:v0.16.2-ubi-boringssl

BREAKING CHANGE

When updating to v0.16.2, if you leverage Generators with refreshInterval: 0 or any refreshPolicy to not update it, this version WILL FORCE THAT VALUE TO BE UPDATED.

Apologies to the user base, we did not expect this breaking change behavior out of these contributions. 🙇 🙏

What's Changed

chore: release charts v0.16.1 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4678
feat: adds harden-runner to pipelines by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4683
[StepSecurity] Apply security best practices by @step-security-bot in https://github.com/external-secrets/external-secrets/pull/4684
docs: update example for bitwarden password manager by @lunarys in https://github.com/external-secrets/external-secrets/pull/4674
feat(helm): add grafana dashboard by @onedr0p in https://github.com/external-secrets/external-secrets/pull/4686
chore(deps): bump softprops/action-gh-release from 2.2.1 to 2.2.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4688
chore(deps): bump codecov/codecov-action from 5.4.0 to 5.4.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4689
chore(deps): bump mkdocs-material from 9.6.11 to 9.6.12 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4690
chore(deps): bump golang from 1.24.2-alpine@sha256:7772cb5322baa875edd74705556d08f0eeca7b9c4b5367754ce3f2f00041ccee to sha256:d9db32125db0c3a680cfb7a1afcaefb89c898a075ec148fdc2f0f646cc2ed509 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4691
chore(deps): bump packaging from 24.2 to 25.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4693
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4694
chore: Add skeeled to ADOPTERS.md by @carneiroskeeled in https://github.com/external-secrets/external-secrets/pull/4695
Update md5 hashing algorithim to sha3 by @kbsteere in https://github.com/external-secrets/external-secrets/pull/4696
fix: ci artefact push by @moolen in https://github.com/external-secrets/external-secrets/pull/4699
chore(deps): bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4710
chore(deps): bump actions/setup-python from 5.5.0 to 5.6.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4711
chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4712
chore(deps): bump step-security/harden-runner from 2.11.1 to 2.12.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4713
chore(deps): bump ubi8/ubi from 8bd1b63 to 244e985 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4719
chore(deps): bump certifi from 2025.1.31 to 2025.4.26 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4717
chore(deps): bump importlib-metadata from 8.6.1 to 8.7.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4716
chore(deps): bump pymdown-extensions from 10.14.3 to 10.15 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4715
chore(deps): bump sigstore/cosign-installer from 3.8.1 to 3.8.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4714
fix: add kmskeyid to secret creation by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4729
fix: ClusterExternalSecrets were not able to adopt externalSecret after update to v1 by @Meallia in https://github.com/external-secrets/external-secrets/pull/4724
chore(deps): bump github/codeql-action from 3.28.16 to 3.28.17 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4735
chore(deps): bump actions/create-github-app-token from 2.0.2 to 2.0.6 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4736
chore(deps): bump actions/attest-build-provenance from 2.2.3 to 2.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4737
chore(deps): bump golang from 00eccd4 to 79390b5 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4738
chore(deps): bump termcolor from 3.0.1 to 3.1.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4739
chore(deps): bump charset-normalizer from 3.4.1 to 3.4.2 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4740
chore(deps): bump golang from 7772cb5 to 7772cb5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4741
chore(deps): bump golangci/golangci-lint-action from 6.5.2 to 8.0.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4734
chore: document kubernetes provider pushsecret type by @mhrabovcin in https://github.com/external-secrets/external-secrets/pull/4725
feat(helm): Offer the possiblity to disable aggreate-to-view and aggregate-to-edit on default ClusterRoles by @linoleparquet in https://github.com/external-secrets/external-secrets/pull/4733
Feat/generic webhook ntlm auth by @yifongau in https://github.com/external-secrets/external-secrets/pull/4316

New Contributors

@step-security-bot made their first contribution in https://github.com/external-secrets/external-secrets/pull/4684
@lunarys made their first contribution in https://github.com/external-secrets/external-secrets/pull/4674
@carneiroskeeled made their first contribution in https://github.com/external-secrets/external-secrets/pull/4695
@kbsteere made their first contribution in https://github.com/external-secrets/external-secrets/pull/4696
@Meallia made their first contribution in https://github.com/external-secrets/external-secrets/pull/4724
@mhrabovcin made their first contribution in https://github.com/external-secrets/external-secrets/pull/4725
@linoleparquet made their first contribution in https://github.com/external-secrets/external-secrets/pull/4733
@yifongau made their first contribution in https://github.com/external-secrets/external-secrets/pull/4316

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.16.1...v0.16.2

`v0.16.1`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.1 Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi-boringssl

What's Changed

chore: bump helm to 0.16.0 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4660
fix: remove crds from bundle by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4664
fix: applying several pipeline fixes by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4667
fix: pipeline permissions by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4669
fix: publish permissions by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4670
fix: prevent is-fork by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4671
fix: publish workflow by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4672
fix: conversion setting on bundle crds by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4673
fix: remove the conversion hook completely by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4675

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.16.0...v0.16.1

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@&#8203;=="v1alpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]'

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed. Double check your CRD installation process finished successfully

`v0.16.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.0 Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi-boringssl

!!! warning it is known v0.16.0 will not be an easy upgrade if you're not consuming from our official sources via helm. we are improving the upgrade path for users depending on kustomize in 0.16.1. Please be patient :)

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@&#8203;=="valpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]'

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed. Double check your CRD installation process finished successfully

spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

Use 0.16.1 as opposed to 0.16.0 on your installation path. That should be fixed on this release

My issue is not here What do I do?

Add a message to https://github.com/external-secrets/external-secrets/issues/4662

BREAKING CHANGES

This release introduces quite a few breaking changes, including:

Removal of Conversion Webhooks and SecretStore/v1alpha1, ExternalSecret/v1alpha1 and their cluster counterparts
Promotion of ExternalSecret/v1 and SecretStore/v1 and their cluster counterparts
Removal of v1 templating engine
Removal of ValueMaps from Fake Secret Store

if you have any issues during your upgrade, please check https://github.com/external-secrets/external-secrets/issues/4662

What's Changed

chore: bump 0.15.1 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4599
chore(deps): bump distroless/static from 95ea148 to 3d0f463 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4602
chore(deps): bump actions/setup-python from 5.4.0 to 5.5.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4603
chore(deps): bump crazy-max/ghaction-import-gpg from 6.2.0 to 6.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4605
chore(deps): bump goreleaser/goreleaser-action from 6.2.1 to 6.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4606
chore(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4607
chore(deps): bump mkdocs-material from 9.6.9 to 9.6.10 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4608
remove days from refreshInterval docs by @lmcewen9 in https://github.com/external-secrets/external-secrets/pull/4601
feat: Add AWSProvider.prefix to aws secrets manager by @justinwalz in https://github.com/external-secrets/external-secrets/pull/4612
feat(aws): support for aws tags by @ivankatliarchuk in https://github.com/external-secrets/external-secrets/pull/4538
docs: remove OLM installation and release docs by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4617
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4609
chore(deps): bump golang from 1.24.1 to 1.24.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4618
chore(deps): bump termcolor from 2.5.0 to 3.0.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4619
chore(deps): bump mkdocs-material from 9.6.10 to 9.6.11 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4620
chore(deps): bump golang from 1.24.1-bookworm to 1.24.2-bookworm in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4621
fix(gcp): makes workload identity parameters optional by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4622
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4624
feat: check-diff on update deps by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4632
docs: fix pento website url in the docs by @pragmaticivan in https://github.com/external-secrets/external-secrets/pull/4639
Support annotations on ValidatingWebhookConfigurations in order to su… by @davidkarlsen in https://github.com/external-secrets/external-secrets/pull/4638
fix: controller-options by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4637
fix: failure on github deprecation use of status checks by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4640
fix: replace error check with ok check by @iurisevero in https://github.com/external-secrets/external-secrets/pull/4636
feat: add refreshPolicy field to ExternalSecret for enhanced synchronization control by @Sn0rt in https://github.com/external-secrets/external-secrets/pull/4594
fix: enhancing security for new workflow by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4641
chore(deps): bump golang from 75e6700 to 00eccd4 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4644
chore(deps): bump golang from 7772cb5 to 7772cb5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4649
chore(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4645
chore(deps): bump markdown from 3.7 to 3.8 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4646
chore(deps): bump urllib3 from 2.3.0 to 2.4.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4647
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4651
chore: bump go to 1.24.2 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4652
chore: promote v1 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4635
fix: revert main to 0.15.1 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4657
fix: restore 0.16.0 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4659

New Contributors

@lmcewen9 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4601
@justinwalz made their first contribution in https://github.com/external-secrets/external-secrets/pull/4612
@ivankatliarchuk made their first contribution in https://github.com/external-secrets/external-secrets/pull/4538
@pragmaticivan made their first contribution in https://github.com/external-secrets/external-secrets/pull/4639
@davidkarlsen made their first contribution in https://github.com/external-secrets/external-secrets/pull/4638

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.15.1...v0.16.0

`v0.15.1`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.15.1 Image: ghcr.io/external-secrets/external-secrets:v0.15.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.15.1-ubi-boringssl

`v0.15.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.15.0 Image: ghcr.io/external-secrets/external-secrets:v0.15.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.15.0-ubi-boringssl

What's Changed

chore: update helm charts to v0.14.4 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4531
Fix certificate revisionHistoryLimit schema by @Aransh in https://github.com/external-secrets/external-secrets/pull/4534
Improve Grafana generator integration with in-cluster Grafana by @solidDoWant in https://github.com/external-secrets/external-secrets/pull/4519
feat: introduce codeql scan for code sections by @Setland34 in https://github.com/external-secrets/external-secrets/pull/4198
feat: add metadata setting to encode secrets as decoded values by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4535
Update full-pushsecret.yaml by @Eitan1112 in https://github.com/external-secrets/external-secrets/pull/4547
chore(deps): bump mkdocs-material from 9.6.7 to 9.6.8 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4555
chore(deps): bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4550
chore(deps): bump docker/login-action from 3.3.0 to 3.4.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4551
chore(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4552
fix: skip none-existing keys by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4517
chore(deps): bump ubi8/ubi from ecbeb81 to 5993454 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4553
fix: define top level permissions and fix token scope by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4543
Fix Grafana generator not passing desired SA role to creation request by @solidDoWant in https://github.com/external-secrets/external-secrets/pull/4533
chore(deps): bump distroless/static from 3f2b64e to 95ea148 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4554
feat: non standard templating delimiters by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4558
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4556
feat: add cloud.ru secret manager support by @default23 in https://github.com/external-secrets/external-secrets/pull/3716
fix: check if secret is being deleted during fetch by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4562
feat: cluster push secret with pushing all secrets from a namespace by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4162

New Contributors

@solidDoWant made their first contribution in https://github.com/external-secrets/external-secrets/pull/4519
@Setland34 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4198
@Eitan1112 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4547
@default23 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3716

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.14.4...v0.15.0

`v0.14.4`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.14.4 Image: ghcr.io/external-secrets/external-secrets:v0.14.4-ubi Image: ghcr.io/external-secrets/external-secrets:v0.14.4-ubi-boringssl

What's Changed

fix: do not return pointer to session from cache by @moolen in https://github.com/external-secrets/external-secrets/pull/4478
chore: update helm charts to v0.14.3 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4482
chore: stability-support.md by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4480
Fix certificate revisionHistoryLimit invalid quote by @Aransh in https://github.com/external-secrets/external-secrets/pull/4483
Improve documentation for webhook auth secrets by @KoenraadM in https://github.com/external-secrets/external-secrets/pull/4485
fix: removed unused vars from apis/generators/v1alpha1/register.go by @gkech in https://github.com/external-secrets/external-secrets/pull/4477
[feature] added Prometheus Status metric for the PushSecret objects by @MrImpossibru in https://github.com/external-secrets/external-secrets/pull/4489
chore(deps): bump mkdocs-material from 9.6.5 to 9.6.7 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4497
chore(deps): bump docker/setup-qemu-action from 3.4.0 to 3.6.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4495
chore(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4492
chore(deps): bump codecov/codecov-action from 5.3.1 to 5.4.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4491
chore(deps): bump actions/cache from 4.2.1 to 4.2.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4493
chore(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4494
chore(deps): bump ubi8/ubi from 881aaf5 to ecbeb81 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4496
fix: pass in namespace to managed cache for cluster scope if rbac is restricted by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4502
fix: allow using UUID as vault and item name by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4490
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4498
docs: update aws identity doc adding EKS pod identity flow by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4432
feat: Allow to specify tags when pushing to Azure Key Vault by @twobiers in https://github.com/external-secrets/external-secrets/pull/4507
feat: enable pushing the entire secret with aws secrets manager by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4504
fix: remove fmt.Println from code and test code by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4509
fix: improve webhook provider PushSecret handling by @bhcleek in https://github.com/external-secrets/external-secrets/pull/4508
fix webhook provider docs by @bhcleek in https://github.com/external-secrets/external-secrets/pull/4514
Updates to AAD and date update by @sneakernuts in https://github.com/external-secrets/external-secrets/pull/4512
allow references expansion when searching secret by key infinsical by @tuxtof in https://github.com/external-secrets/external-secrets/pull/4486
use subtests in webprovider unit tests by @bhcleek in https://github.com/external-secrets/external-secrets/pull/4511
feat: make vault auth an optional entry by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4516
chore(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4521
chore(deps): bump jinja2 from 3.1.5 to 3.1.6 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4523
chore(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4522
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4528
feat: update the go version 1.24 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4525

New Contributors

@KoenraadM made their first contribution in https://github.com/external-secrets/external-secrets/pull/4485
@gkech made their first contribution in https://github.com/external-secrets/external-secrets/pull/4477
@MrImpossibru made their first contribution in https://github.com/external-secrets/external-secrets/pull/4489
@bhcleek made their first contribution in https://github.com/external-secrets/external-secrets/pull/4508
@sneakernuts made their first contribution in https://github.com/external-secrets/external-secrets/pull/4512
@tuxtof made their first contribution in https://github.com/external-secrets/external-secrets/pull/4486

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.14.3...v0.14.4

`v0.14.3`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.14.3 Image: ghcr.io/external-secrets/external-secrets:v0.14.3-ubi Image: ghcr.io/external-secrets/external-secrets:v0.14.3-ubi-boringssl

What's Changed

chore: update helm charts to v0.14.2 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4425
docs: add a link to the cncf calendar for the community meeting by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4431
doc: revise and enhance Google Secret Manager authentication by @ionicsolutions in https://github.com/external-secrets/external-secrets/pull/4430
chore(deps): bump goreleaser/goreleaser-action from 6.1.0 to 6.2.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4434
chore(deps): bump alpine from 3.21.2 to 3.21.3 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4435
chore(deps): bump mkdocs-material from 9.6.3 to 9.6.4 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4437
chore(deps): bump alpine from 56fa17d to a8560b3 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4438
chore(deps): bump alpine from 56fa17d to a8560b3 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4442
docs: add examples of Governance document being applied for members joining by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4450
Make generator state commit err visible to the user / fix handling of empty state by @moolen in https://github.com/external-secrets/external-secrets/pull/4451
chore(deps): bump golangci/golangci-lint-action from 6.3.1 to 6.5.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4433
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4443
Fix: add coversion hook to steps to disable webhook by @matt-matt-tmatt in https://github.com/external-secrets/external-secrets/pull/4453
fix: update helm chart tests by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4454
fix: Update Helm Readme For Log Params by @peterswica in https://github.com/external-secrets/external-secrets/pull/4457
Gc/feat/GitHub provider by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4459
update: update Kubernetes tags for vault provider and change path default by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4452
chore(deps): bump mkdocs-material from 9.6.4 to 9.6.5 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4466
fix: github secrets not creating new secrets by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4472
fix: panic on parameterstore.go by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4471
chore(deps): bump sigstore/cosign-installer from 3.8.0 to 3.8.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4462
chore(deps): bump actions/cache from 4.2.0 to 4.2.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4463
chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4464
chore(deps): bump github/codeql-action from 3.28.9 to 3.28.10 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4465
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4468
chore: update helm test for github by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4475
feat: 1password find by tags by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4476

New Contributors

@matt-matt-tmatt made their first contribution in https://github.com/external-secrets/external-secrets/pull/4453

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.14.2...v0.14.3

`v0.14.2`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.14.2 Image: ghcr.io/external-secrets/external-secrets:v0.14.2-ubi Image: ghcr.io/external-secrets/external-secrets:v0.14.2-ubi-boringssl

What's Changed

chore: release v0.14.1 helm by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4401
fix: skip injecting service and cert if conversion is disabled by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4362
feat: add crd compliance tests by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4390
feat: add PushSecret ability to the webhook provider by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4360
docs: fix typo in the AWS Secrets manager provider docs by @robertmarsal in https://github.com/external-secrets/external-secrets/pull/4403
feat(chart): add support for revisionHistoryLimit on the cert by @knechtionscoding in https://github.com/external-secrets/external-secrets/pull/4292
fix: add push secret refreshInterval defaulting by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4404
fix: Improved error message for unsupported secret store kind by @peterswica in https://github.com/external-secrets/external-secrets/pull/4398
chore(deps): bump golang from 1.23.5-bookworm to 1.23.6-bookworm in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4414
chore(deps): bump golang from 1.23.5 to 1.23.6 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4407
chore(deps): bump mkdocs-material from 9.6.1 to 9.6.3 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4408
chore(deps): bump github/codeql-action from 3.28.8 to 3.28.9 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4409
chore(deps): bump docker/setup-qemu-action from 3.3.0 to 3.4.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4410
chore(deps): bump sigstore/cosign-installer from 3.7.0 to 3.8.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4411
chore(deps): bump docker/setup-buildx-action from 3.8.0 to 3.9.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4412
chore(deps): bump golangci/golangci-lint-action from 6.2.0 to 6.3.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4413
Add more flexibility to webhook service by @ksangers in https://github.com/external-secrets/external-secrets/pull/4402
kubernetes provider documentation - Added section explaining how to create shared secret without cluster wide access by @renepupil in https://github.com/external-secrets/external-secrets/pull/4418
doc: enhance best practices for cluster-wide resources reconciliation by @ionicsolutions in https://github.com/external-secrets/external-secrets/pull/4423
fix: ignore NoSecretErr in generator state by @moolen in https://github.com/external-secrets/external-secrets/pull/4422
chore: update go version to 1.23.6 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4420

New Contributors

@robertmarsal made their first contribution in https://github.com/external-secrets/external-secrets/pull/4403
@knechtionscoding made their first contribution in https://github.com/external-secrets/external-secrets/pull/4292
@peterswica made their first contribution in https://github.com/external-secrets/external-secrets/pull/4398
@ksangers made their first contribution in https://github.com/external-secrets/external-secrets/pull/4402
@renepupil made their first contribution in https://github.com/external-secrets/external-secrets/pull/4418
@ionicsolutions made their first contribution in https://github.com/external-secrets/external-secrets/pull/4423

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.14.1...v0.14.2

`v0.14.1`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.14.1 Image: ghcr.io/external-secrets/external-secrets:v0.14.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.14.1-ubi-boringssl

What's Changed

Implement SecretExists in AWS ParameterStore by @amirahav in https://github.com/external-secrets/external-secrets/pull/4377
fix: the esoctl tooling website was not working by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4383
chore: release v0.14.0 helm by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4385
docs: fix typo in templating guide by @sboschman in https://github.com/external-secrets/external-secrets/pull/4387
Added additional validation for a usecase where a namespace is provided for SecretStore CAprovider by @alekc in https://github.com/external-secrets/external-secrets/pull/4359
docs(typo): Update doc references from BitWarden to Bitwarden. by @mimartin12 in https://github.com/external-secrets/external-secrets/pull/4388
feat: Merging metrics and service monitor services by @remyj38 in https://github.com/external-secrets/external-secrets/pull/4356
feat: allow accessing original Vault response from VaultDynamicSecret by @m1so in https://github.com/external-secrets/external-secrets/pull/4358
fix: Fix typo that prevents the Password ClusterGenerator from working by @edeustua in https://github.com/external-secrets/external-secrets/pull/4389

New Contributors

@amirahav made their first contribution in https://github.com/external-secrets/external-secrets/pull/4377
@mimartin12 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4388
@remyj38 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4356
@m1so made their first contribution in https://github.com/external-secrets/external-secrets/pull/4358
@edeustua made their first contribution in https://github.com/external-secrets/external-secrets/pull/4389

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.14.0...v0.14.1

`v0.14.0`

Compare Source

Potential Breaking Change

Stateful Generators have been introduced with:

feat: introduce state for generator and new grafana SA generator by @moolen in https://github.com/external-secrets/external-secrets/pull/4203.

While normally this isn't a problem, external secrets controller and push secrets controller have been changed.

If any normal operation that should work encounters a problem, please don't hesitate to open an issue. Please also include that the problem appeared after switching to this version. Thank you!

Image: ghcr.io/external-secrets/external-secrets:v0.14.0 Image: ghcr.io/external-secrets/external-secrets:v0.14.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.14.0-ubi-boringssl

What's Changed

chore: release v0.13.0 helm by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4322
fix: documentation and naming for render tool by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4324
fix: security issues with esoctl release action by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4325
sonar: ignore duplication warnings in test files by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4320
fix: sonar ignore duplication warning in test files only by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4329
fix: sonar configs by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4334
feat: column storeType by @brenob6 in https://github.com/external-secrets/external-secrets/pull/4337
fix: retry failed reconciles much less aggressively by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4339
chore(deps): bump pymdown-extensions from 10.14 to 10.14.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4341
chore(deps): bump importlib-metadata from 8.5.0 to 8.6.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4342
chore(deps): bump helm/chart-releaser-action from 1.6.0 to 1.7.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4343
chore(deps): bump actions/setup-go from 5.2.0 to 5.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4344
chore(deps): bump actions/stale from 9.0.0 to 9.1.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4345
chore(deps): bump fossas/fossa-action from 1.4.0 to 1.5.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4346
chore(deps): bump anchore/sbom-action from 0.17.9 to 0.18.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4347
chore(deps): bump golang from 47d3375 to 47d3375 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4348
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4350
Adding prerequisites and a glossary to the documentation by @CarolCoCe in https://github.com/external-secrets/external-secrets/pull/4299
fix: security issues with esoctl release action take 2 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4326
Fix passbolt refreshInterval by @cedricalfonsi in https://github.com/external-secrets/external-secrets/pull/4353
feat: add API version parameter to BeyondTrust Provider by @btfhernandez in https://github.com/external-secrets/external-secrets/pull/4354
feat: introduce state for generator and new grafana SA generator by @moolen in https://github.com/external-secrets/external-secrets/pull/4203
doc: link to the CNCF code of conduct by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4364
chore(deps): bump ubi8/ubi from 2e863fb to 881aaf5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4365
chore(deps): bump actions/attest-build-provenance from 2.1.0 to 2.2.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4366
chore(deps): bump helm/chart-testing-action from 2.6.1 to 2.7.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4367
chore(deps): bump codecov/codecov-action from 5.1.2 to 5.3.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4369
chore(deps): bump github/codeql-action from 3.28.1 to 3.28.8 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4370
chore(deps): bump babel from 2.16.0 to 2.17.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4371
chore(deps): bump certifi from 2024.12.14 to 2025.1.31 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4372
chore(deps): bump pymdown-extensions from 10.14.1 to 10.14.3 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4373
chore(deps): bump mkdocs-material from 9.5.50 to 9.6.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4374
chore(deps): bump actions/setup-python from 5.3.0 to 5.4.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4368
fix: gitlab group variable regression by @babs in https://github.com/external-secrets/external-secrets/pull/4379

New Contributors

@brenob6 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4337
@CarolCoCe made their first contribution in https://github.com/external-secrets/external-secrets/pull/4299
@cedricalfonsi made their first contribution in https://github.com/external-secrets/external-secrets/pull/4353
@babs made their first contribution in https://github.com/external-secrets/external-secrets/pull/4379

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.13.0...v0.14.0

`v0.13.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.13.0 Image: ghcr.io/external-secrets/external-secrets:v0.13.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.13.0-ubi-boringssl

BREAKING CHANGES

https://github.com/external-secrets/external-secrets/pull/4262 introduces a breaking change in the METADATA structure for the AWS PARAMETER STORE.

The old metadata structure changed to this new structure described here: https://external-secrets.io/latest/provider/aws-parameter-store/#additional-metadata-for-pushsecret

It looks like this:

metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          secretType: SecureString
          kmsKeyID: bb123123-b2b0-4f60-ac3a-44a13f0e6b6c
          tier:
            type: Advanced # default is Standard
            policies:
              - type: "Expiration"
                version: "1.0"
                attributes:
                  timestamp: "2024-12-02T21:34:33.000Z"
              - type: "ExpirationNotification"
                version: "1.0"
                attributes:
                  before: "2"
                  unit: "Days"
              - type: "ExpirationNotification"
                version: "1.0"
                attributes:
                  before: "30"
                  unit: "Days"
              - type: "NoChangeNotification"
                version: "1.0"
                attributes:
                  after: "30"
                  unit: "Days"

What's Changed

chore: release v0.12.1 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4250
chore(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4236
chore(deps): bump docker/setup-buildx-action from 3.7.1 to 3.8.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4237
chore(deps): bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4238
chore(deps): bump mkdocs-material from 9.5.48 to 9.5.49 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4240
chore(deps): bump livereload from 2.7.0 to 2.7.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4241
chore(deps): bump urllib3 from 2.2.3 to 2.3.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4242
chore(deps): bump click from 8.1.7 to 8.1.8 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4243
chore(deps): bump jinja2 from 3.1.4 to 3.1.5 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4244
chore(deps): bump helm/kind-action from 1.10.0 to 1.12.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4249
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4246
chore(deps): bump golang from 6c5c959 to 6c5c959 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4255
chore(deps): bump charset-normalizer from 3.4.0 to 3.4.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4256
chore(deps): bump pymdown-extensions from 10.12 to 10.13 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4257
chore(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4258
chore(deps): bump golang from ef30001 to 2e83858 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4259
chore(deps): bump importlib-resources from 6.4.5 to 6.5.2 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4266
chore(deps): bump pygments from 2.18.0 to 2.19.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4270
add allowEmptyResponse to vaultdynamicsecrets by @Kyaak in https://github.com/external-secrets/external-secrets/pull/4271
docs: Fix IAM policy AWS SM provider by @rastut in https://github.com/external-secrets/external-secrets/pull/4275
feat(generators): add Quay generator support by @dronenb in https://github.com/external-secrets/external-secrets/pull/4252
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4269
fix: run make check-diff on main by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4285
chore(deps): bump pymdown-extensions from 10.13 to 10.14 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4280
chore(deps): bump alpine from 21dc606 to 56fa17d by @dependabot in https://github.com/external-secrets/external-secrets/pull/4281
chore(deps): bump distroless/static from 5c7e2b4 to 3f2b64e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4282
chore(deps): bump golang from 6c5c959 to c233391 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4283
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4290
chore(deps): bump github/codeql-action from 3.28.0 to 3.28.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4289
chore(deps): bump softprops/action-gh-release from 2.2.0 to 2.2.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4288
chore(deps): bump docker/setup-qemu-action from 3.2.0 to 3.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4287
chore(deps): bump alpine from 21dc606 to 56fa17d in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4286
chore(deps): bump alpine from 3.21.0 to 3.21.2 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4284
Updated supported versions table by @mooneeb in https://github.com/external-secrets/external-secrets/pull/4296
docs: differentiate between two different bitwarden guides by @nareddyt in https://github.com/external-secrets/external-secrets/pull/4301
fix: helm chart test was not updated by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4302
feat: add configuring tier for aws parameter store by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4262
feat: add a renderer for template data and secrets by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4277
chore(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4307
chore(deps): bump anchore/sbom-action from 0.7.0 to 0.17.9 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4308
chore(deps): bump golang from 1.23.4-bookworm to 1.23.5-bookworm in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4309
chore(deps): bump mkdocs-material from 9.5.49 to 9.5.50 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4311
chore(deps): bump ubi8/ubi from 37cdac4 to 2e863fb by @dependabot in https://github.com/external-secrets/external-secrets/pull/4312
chore(deps): bump golang from 1.23.4 to 1.23.5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4313
infisical: fix error handling which previously failed silently (missing secrets, incorrect auth, etc.) by @lgo in https://github.com/external-secrets/external-secrets/pull/4304
fix: rename render to esoctl in release action by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4319

New Contributors

@Kyaak made their first contribution in https://github.com/external-secrets/external-secrets/pull/4271
@rastut made their first contribution in https://github.com/external-secrets/external-secrets/pull/4275
@dronenb made their first contribution in https://github.com/external-secrets/external-secrets/pull/4252
@mooneeb made their first contribution in https://github.com/external-secrets/external-secrets/pull/4296
@nareddyt made their first contribution in https://github.com/external-secrets/external-secrets/pull/4301
@lgo made their first contribution in https://github.com/external-secrets/external-secrets/pull/4304

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.12.1...v0.13.0

`v0.12.1`

Compare Source

RELEASE VERSION

My apologies, when creating the release, 0.12.0 failed. The branch and tag however, have been created and I was unable to delete them. Thus, the version has been increased to 0.12.1 after the fix and now that's the current version. I hand updated the release notes to include everyone into the changes.

BREAKING CHANGES

The following breaking changes have been introduced into this release:

Permission update for AWS provider adding BulkFetch when getting multiple secrets ( significant API reduce but comes with adding a permission for bulk endpoint )
fixed a typo for a generator in the json tag where before it was ecrRAuthorizationTokenSpec with an extra R
We standardized the GCP Secrets Manager Metadata structure for PushSecrets ( be aware that existing manifests will stop working until updated to the standardized version ) for more info see https://github.com/external-secrets/external-secrets/pull/4210

Images

Image: ghcr.io/external-secrets/external-secrets:v0.12.1 Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi-boringssl

What's Changed

chore(deps): bump ubi8/ubi from 7287624 to 37cdac4 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4245
revert: softprops update failing the release process by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4248
chore: bump helm chart version v0.11.0 by @Skarlso https://github.com/external-secrets/external-secrets/pull/4166
chore(deps): bump mkdocs-material in /hack/api-docs by @dependabot https://github.com/external-secrets/external-secrets/pull/4165
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4169
Gc/fix clusterexternalsecret metrics by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4170
chore(deps): bump distroless/static from f4a57e8 to 5c7e2b4 by @dependabot https://github.com/external-secrets/external-secrets/pull/4164
chore: deprecate olm proposal by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4175
fix: error handling for gitlab variable fetch by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4177
fix: v1 templates with metadata + always cleanup orphaned secrets by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4174
fix: handle empty template engine version by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4182
chore(deps): bump actions/cache from 4.1.2 to 4.2.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4190
chore(deps): bump actions/attest-build-provenance from 1.4.4 to 2.0.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4189
chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4188
update dependencies in https://github.com/external-secrets/external-secrets/pull/4196
chore(deps): bump codecov/codecov-action from 5.0.7 to 5.1.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4187
chore(deps): bump alpine from 3.20.3 to 3.21.0 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4184
chore(deps): bump golang from 1.23.3-bookworm to 1.23.4-bookworm by @dependabot in https://github.com/external-secrets/external-secrets/pull/4185
chore(deps): bump alpine from 3.20 to 3.21 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4186
chore(deps): bump alpine from 1e42bbe to 21dc606 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4191
chore(deps): bump golang from 1.23.3 to 1.23.4 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4192
chore(deps): bump six from 1.16.0 to 1.17.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4193
chore(deps): bump mkdocs-material in /hack/api-docs by dependabot in by @dependabot in https://github.com/external-secrets/external-secrets/pull/4194

feat: 1password add support for tags and configurable PushSecret vault by @Dariusch (#4173)
fix: ensure existing labels are retained for secrets in GCP secrets by @newtondev (#4160)
fix: return not found error when there is no secret for vault provider by @Skarlso (#4183)
fix: error in order of function call UpdateEnvironment by @dirien (#4201)
BREAKING: Standardize GCP Secret Manager PushSecret metadata format and add CMEK support @janlauber in (#4210)
docs: add raw markdown tags to PushSecret example in Google Secrets Manager documentation by @janlauber in (#4213)
Design/target custom resources by @gusfcarvalho (#3449)
chore(deps): bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot (#4215)
chore(deps): bump actions/attest-build-provenance from 2.0.1 to 2.1.0 by @dependabot in (#4216)
feat: update to use Batch value get instead of List and Fetch all secrets for AWS provider by @Skarlso in (#4181)
fix: increase default QPS/Burst to 50/100 by @thesuperzapper (#4202)
chore(deps): bump softprops/action-gh-release from 2.1.0 to 2.2.0 by @dependabot (#4217)
chore(deps): bump actions/setup-go from 5.1.0 to 5.2.0 by @dependabot (#4218)
chore(deps): bump certifi from 2024.8.30 to 2024.12.14 by @dependabot
chore(deps): bump golang from 6c5c959 to 6c5c959 by @dependabot (#4220)
chore: update dependencies by @eso-service-account-app (#4223)
Add AWS ECR Public authorization token support by @pmcenery (#4229)
fix: typo in the ecrAuthorizationTokenSpec json tag by @Skarlso (#4212)
feat: fix a bunch of Sonar issues by @Skarlso (#4208)
fix: Dockerfile.ubi using the wrong registry by @Skarlso (#4234)
feat: add filterCertChain template helper function by @sboschman (#3934)
fix: SonarCloud security hotspot by @Skarlso in (#4235)

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.11.0...v0.12.1

`v0.12.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.12.0 Image: ghcr.io/external-secrets/external-secrets:v0.12.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.12.0-ubi-boringssl

`v0.11.0`

Compare Source

Deprecation of OLM Releases

As of 0.11.0 is the last release available for OLM until further notice. Depending on the way this goes, we might still have OLM support (ideally with a properly built operator for that), but for sure in a different support scheme as to not overload maintainers anymore. Also a valid note - you can still use 0.11.0 OLM release and the newest ESO images, you just need to set image.tag appropriately in your setup.

Kubernetes API load and significant decrease

A new way of reconciling external secrets has been added with pull request #4086.

This significantly reduces the number of API calls that we make to the kubernetes API server.

Memory usage might increase if you are not already using --enable-secrets-caching
1. If you are using --enable-secrets-caching and want to decrease memory usage at the expense of slightly higher API usage, you can disable it and only enable --enable-managed-secrets-caching (which is the new default)
In ALL cases (even when CreationPolicy is Merge), if a data key in the target Secret was created by the ExternalSecret, and it no longer exists in the template (or data/dataFrom), it will be removed from the target secret:
1. This might cause some peoples secrets to be "cleaned of data keys" when updating to 0.11.
2. Previously, the behaviour was undefined, and confusing because it was sort of broken when the template feature was added.
3. The one exception is that ALL the data suddenly becomes empty and the DeletionPolicy is retain, in which case we will not even report and error, just change the SecretSynced message to explain that the secret was retained.
When CreationPolicy is Owner, we now will NEVER retain any keys and fully calculate the "desired state" of the target secret each loop:
1. This means that some peoples secrets might have keys removed when updating to 0.11.

Generators and ClusterGenerator

We added ClusterGenerators and Generator caching as well. This might create some problems in the way generators are defined now.

CRD Admission Restrictions

All of the CRDs now have proper kubebuilder markers for validation. This might surprise someone leaving out some data that was essentially actually required or expected in a certain format. This is now validated in #4104.

Images

Image: ghcr.io/external-secrets/external-secrets:v0.11.0 Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi-boringssl

What's Changed

chore: bump version v0.10.7 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4141
feat: significantly reduce api calls and introduce partial secret cache by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4086
chore(deps): bump mkdocs-material from 9.5.44 to 9.5.45 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4143
chore(deps): bump tornado from 6.4.1 to 6.4.2 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4144
chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4145
chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4146
chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4147
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4148
fix: gitlab empty response by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4152
feat: add ability to push expiration date to secret in azure key vault by @deggja in https://github.com/external-secrets/external-secrets/pull/4149
feat: implement a cluster-wide generator by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4140
feat: Add API key auth support on BeyondTrust provider by @dtejadav in https://github.com/external-secrets/external-secrets/pull/4101
Add support for multiple Items fields in DelineSecretServer secrets by @ronaldosaheki in https://github.com/external-secrets/external-secrets/pull/4051
chore: deprecation policy and deprecating process by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4154
fix: use cache when retrieving generators by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4153
fix: e2e test for AWS not setting name and namespace by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4157
fix: handle managed identity ClientID or ResourceID in acr generator by @bonddim in https://github.com/external-secrets/external-secrets/pull/4150
feat: add CRD validation for resource name/key fields by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4104
fix: issues with generators by @thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4163

New Contributors

@thesuperzapper made their first contribution in https://github.com/external-secrets/external-secrets/pull/4086
@deggja made their first contribution in https://github.com/external-secrets/external-secrets/pull/4149
@dtejadav made their first contribution in https://github.com/external-secrets/external-secrets/pull/4101
@ronaldosaheki made their first contribution in https://github.com/external-secrets/external-secrets/pull/4051
@bonddim made their first contribution in https://github.com/external-secrets/external-secrets/pull/4150

Full Changelog: https://github.com/external-secrets/external-secrets/compare/v0.10.7...v0.11.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited Jun 17, 2025 by Sylva Renovate bot

Update dependency external-secrets/external-secrets to v0.18.0

Release Notes

Potential Breaking Changes

What's Changed

New Contributors

BREAKING CHANGE

What's Changed

New Contributors

BREAKING CHANGE

What's Changed

New Contributors

What's Changed

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Upgrading

CRDs as part of external-secrets installation

CRDs installed separately

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Upgrading

CRDs as part of external-secrets installation

CRDs installed separately

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

My issue is not here What do I do?

BREAKING CHANGES

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

Potential Breaking Change

What's Changed

New Contributors

BREAKING CHANGES

What's Changed

New Contributors

RELEASE VERSION

BREAKING CHANGES

Images

What's Changed

Deprecation of OLM Releases

Kubernetes API load and significant decrease

Generators and ClusterGenerator

CRD Admission Restrictions

Images

What's Changed

New Contributors

Configuration

Merge request reports

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds: