Skip to content

feat(secretserver): support authentication via access token#6597

Merged
evrardj-roche merged 11 commits into
external-secrets:mainfrom
sumanpal97:feat/secretserver-token-auth
Jul 17, 2026
Merged

feat(secretserver): support authentication via access token#6597
evrardj-roche merged 11 commits into
external-secrets:mainfrom
sumanpal97:feat/secretserver-token-auth

Conversation

@sumanpal97

Copy link
Copy Markdown
Contributor

Problem Statement

The Delinea Secret Server provider only supported username/password
authentication. Delinea Secret Server also issues access tokens, and many
users prefer (or are required) to authenticate with a token rather than
storing account credentials. There was no way to configure that in the
SecretStore/ClusterSecretStore.

Related Issue

Fixes #3977

Proposed Changes

  • Add an optional token field to the Secret Server provider spec
    (both v1 and v1beta1 APIs). It accepts either an inline value
    or a secretRef pointing at a Kubernetes Secret.
  • When token is set, username and password are no longer required
    and are ignored; the token is passed to the Delinea SDK's
    UserCredential.Token, which it already supports natively.
  • username and password are relaxed to optional; validation now
    requires either a token or a username/password pair, and rejects an
    empty/ambiguous token reference.
  • Namespace-dependency detection (doesConfigDependOnNamespace) is made
    nil-safe and token-aware.
  • Added unit tests covering token-via-value, token-via-secretRef,
    dangling token refs, and the updated validation paths.
  • Updated the Secret Server provider docs with an "Authenticating with an
    Access Token" section, and regenerated CRDs, deepcopy, snapshots, and
    the deploy bundle.

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

Add an optional `token` field to the Delinea Secret Server provider so
users can authenticate with an existing access token instead of a
username/password pair. When `token` is set, username and password are
no longer required and are ignored. The token can be supplied inline via
`value` or referenced from a Kubernetes Secret via `secretRef`.

Applies to both v1 and v1beta1 APIs, updates validation and the client
credential loading, adds unit tests for the token paths, and refreshes
the generated CRDs/deepcopy/snapshots and provider docs.

Closes external-secrets#3977

Signed-off-by: sumanpal <sumanpal198@gmail.com>
@github-actions github-actions Bot added area/secretserver kind/feature Categorizes issue or PR as related to a new feature. area/documentation Issues / Pull Requests related to documentation labels Jul 4, 2026
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds token-based authentication to the Secret Server provider as an alternative to username and password credentials. The provider now resolves token values or secret references, applies token precedence, validates token references, and handles namespace dependencies. API types, generated deepcopy code, CRD schemas, bundled CRDs, documentation, provider tests, and configuration snapshots are updated accordingly.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR implements Secret Server API-token authentication, satisfying issue #3977's request for token-based login.
Out of Scope Changes check ✅ Passed The changes are focused on token auth support and its required docs, tests, CRDs, and generated code, with no clear unrelated additions.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the size/l label Jul 4, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
providers/v1/secretserver/provider.go (1)

177-188: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Skip username/password in doesConfigDependOnNamespace when token auth is set.

getConfig treats Token as exclusive, but this helper still flags namespace-less Username/Password refs and can reject a ClusterSecretStore even when those fields are ignored. Short-circuit on Token the same way as getConfig.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@providers/v1/secretserver/provider.go` around lines 177 - 188, The
doesConfigDependOnNamespace helper is still validating Username and Password
secret refs even when Token auth is configured, which can incorrectly reject a
ClusterSecretStore. Update doesConfigDependOnNamespace in provider.go to
short-circuit on cfg.Token the same way getConfig does, so namespace checks for
Username and Password are skipped whenever Token is set and treated as
exclusive.
🧹 Nitpick comments (1)
deploy/crds/bundle.yaml (1)

7301-7340: 🗄️ Data Integrity & Integration | 🔵 Trivial | 🏗️ Heavy lift

Consider CEL validation for token vs username/password mutual requirement.

The regenerated schema removes password/username from required (now only serverURL is required) but doesn't add an x-kubernetes-validations rule enforcing "token or (username and password)" — unlike sibling providers in this same file (e.g. doppler.auth, openBao.auth, pulumi.auth) that use CEL rules for equivalent either/or credential constraints. Without such a rule, a SecretStore with none of token/username/password set will pass API-server admission and only fail later in the provider controller.

This file is auto-generated by controller-gen; any validation should be added via a kubebuilder +kubebuilder:validation:XValidation marker on the SecretServerProvider Go type (not in this file) and regenerated with make generate/make manifests, rather than hand-edited here.

Also applies to: 11822-11861, 20116-20155, 24637-24676

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/crds/bundle.yaml` around lines 7301 - 7340, Add a CEL validation on
SecretServerProvider to enforce the credential invariant “token or (username and
password)” since the regenerated schema only marks serverURL as required. Mirror
the sibling auth schemas in this bundle by adding a kubebuilder XValidation
marker on the SecretServerProvider Go type, then regenerate the CRD via the
normal controller-gen workflow instead of editing bundle.yaml by hand. Ensure
the rule covers the token, username, and password fields together so admission
rejects empty credentials before the controller sees the SecretStore.

Source: Learnings

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@providers/v1/secretserver/provider.go`:
- Around line 177-188: The doesConfigDependOnNamespace helper is still
validating Username and Password secret refs even when Token auth is configured,
which can incorrectly reject a ClusterSecretStore. Update
doesConfigDependOnNamespace in provider.go to short-circuit on cfg.Token the
same way getConfig does, so namespace checks for Username and Password are
skipped whenever Token is set and treated as exclusive.

---

Nitpick comments:
In `@deploy/crds/bundle.yaml`:
- Around line 7301-7340: Add a CEL validation on SecretServerProvider to enforce
the credential invariant “token or (username and password)” since the
regenerated schema only marks serverURL as required. Mirror the sibling auth
schemas in this bundle by adding a kubebuilder XValidation marker on the
SecretServerProvider Go type, then regenerate the CRD via the normal
controller-gen workflow instead of editing bundle.yaml by hand. Ensure the rule
covers the token, username, and password fields together so admission rejects
empty credentials before the controller sees the SecretStore.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 07669c49-69b0-4c39-9320-2f4390f764da

📥 Commits

Reviewing files that changed from the base of the PR and between 4468655 and 316420f.

📒 Files selected for processing (14)
  • apis/externalsecrets/v1/secretsstore_secretserver_types.go
  • apis/externalsecrets/v1/zz_generated.deepcopy.go
  • apis/externalsecrets/v1beta1/secretsstore_secretserver_types.go
  • apis/externalsecrets/v1beta1/zz_generated.deepcopy.go
  • config/crds/bases/external-secrets.io_clustersecretstores.yaml
  • config/crds/bases/external-secrets.io_secretstores.yaml
  • deploy/crds/bundle.yaml
  • docs/provider/secretserver.md
  • providers/v1/secretserver/provider.go
  • providers/v1/secretserver/provider_test.go
  • tests/__snapshot__/clustersecretstore-v1.yaml
  • tests/__snapshot__/clustersecretstore-v1beta1.yaml
  • tests/__snapshot__/secretstore-v1.yaml
  • tests/__snapshot__/secretstore-v1beta1.yaml

alekc
alekc previously requested changes Jul 5, 2026

@alekc alekc left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two requested changes below; the docs and the token happy-path/validation tests are otherwise solid. The main one is dropping the v1beta1 additions (that version is unserved and deprecated); the other is a token-awareness fix in doesConfigDependOnNamespace.

// as an alternative to Username and Password. When set, Username and
// Password are not required and are ignored.
// +optional
Token *SecretServerProviderRef `json:"token,omitempty"`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please drop the v1beta1 changes. SecretStore/ClusterSecretStore v1beta1 are +kubebuilder:unservedversion and +kubebuilder:deprecatedversion (the generated CRD has served: false, storage: false), so this field is unreachable by any client and is never the stored version. New provider fields go to v1 only (e.g. the OpenBao Kubernetes auth in #6591 touched v1 alone). Reverting the v1beta1 type, its deepcopy, the v1beta1 CRD sections, and the *-v1beta1 snapshots keeps this to v1.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

100%

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Reverted all v1beta1 changes, secretsstore_secretserver_types.go, zz_generated.deepcopy.go. The token field exists only in v1.

if cfg.Token != nil && cfg.Token.SecretRef != nil && cfg.Token.SecretRef.Namespace == nil {
return true
}
if cfg.Username != nil && cfg.Username.SecretRef != nil && cfg.Username.SecretRef.Namespace == nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesConfigDependOnNamespace checks username/password even under token auth, but getConfig ignores them once token is set. So a ClusterSecretStore with a valid token.secretRef (namespace set) plus a leftover username.secretRef without a namespace is rejected with errClusterStoreRequiresNamespace, even though the username is ignored. Mirror getConfig's precedence: when cfg.Token != nil, only check cfg.Token here. A test for that case would be worth adding too.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. doesConfigDependOnNamespace now short-circuits when Token is set , it only inspects the token ref, so a ClusterSecretStore with a valid token.secretRef plus a namespace-less username.secretRef is no longer wrongly rejected. Added unit tests covering both directions (token ref with/without namespace, and precedence over username/password).

@alekc

alekc commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

also, just to confirm, did you test your changes live against secretserver?

// as an alternative to Username and Password. When set, Username and
// Password are not required and are ignored.
// +optional
Token *SecretServerProviderRef `json:"token,omitempty"`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

100%

Comment thread providers/v1/secretserver/provider.go Outdated

func loadCredentials(ctx context.Context, storeKind string, cfg *esv1.SecretServerProvider, kube kubeClient.Client, namespace string) (server.UserCredential, error) {
if cfg.Token != nil {
token, err := loadConfigSecret(ctx, storeKind, cfg.Token, kube, namespace)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use our esutils here, we need to check whether some can do that.

Else you can just exfiltrate secrets :)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, thanks. loadConfigSecret now runs every secretRef (token, username, password) through validateStoreSecretRef, which calls esutils.ValidateReferentSecretSelector before the value is resolved. So, a ClusterSecretStore can't be pointed at secrets in arbitrary namespaces. It's enforced in the credential-loading path now, not just at config validation.

@github-actions github-actions Bot added size/m and removed size/l labels Jul 10, 2026
@sumanpal97
sumanpal97 force-pushed the feat/secretserver-token-auth branch from d89a75a to ba3706e Compare July 10, 2026 18:02

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/crds/bundle.yaml`:
- Line 11783: Make the v1 Kubebuilder markers for username and password optional
in the relevant Go API definitions, update their stale descriptions, then
regenerate all affected CRDs under deploy/crds/** with controller-gen; do not
edit the generated bundle.yaml manually.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cdfd962e-f96e-4d5e-85b9-fba1316b62ab

📥 Commits

Reviewing files that changed from the base of the PR and between 316420f and ba3706e.

📒 Files selected for processing (5)
  • config/crds/bases/external-secrets.io_clustersecretstores.yaml
  • config/crds/bases/external-secrets.io_secretstores.yaml
  • deploy/crds/bundle.yaml
  • providers/v1/secretserver/provider.go
  • providers/v1/secretserver/provider_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • providers/v1/secretserver/provider_test.go
  • providers/v1/secretserver/provider.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/crds/bundle.yaml`:
- Line 11783: Make the v1 Kubebuilder markers for username and password optional
in the relevant Go API definitions, update their stale descriptions, then
regenerate all affected CRDs under deploy/crds/** with controller-gen; do not
edit the generated bundle.yaml manually.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cdfd962e-f96e-4d5e-85b9-fba1316b62ab

📥 Commits

Reviewing files that changed from the base of the PR and between 316420f and ba3706e.

📒 Files selected for processing (5)
  • config/crds/bases/external-secrets.io_clustersecretstores.yaml
  • config/crds/bases/external-secrets.io_secretstores.yaml
  • deploy/crds/bundle.yaml
  • providers/v1/secretserver/provider.go
  • providers/v1/secretserver/provider_test.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • providers/v1/secretserver/provider_test.go
  • providers/v1/secretserver/provider.go
🛑 Comments failed to post (1)
deploy/crds/bundle.yaml (1)

11783-11783: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Regenerate the bundle with token-compatible authentication requirements.

Both schemas still require username and password, so Kubernetes admission rejects token-only stores before provider validation runs. They also retain stale descriptions. Ensure the v1 Kubebuilder markers make these fields optional, then regenerate the CRDs rather than editing this generated bundle manually.

Based on learnings, CRD files under deploy/crds/** must be regenerated from the Go API definitions using controller-gen.

Also applies to: 11821-11821, 11853-11856, 24560-24560, 24598-24598, 24630-24633

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/crds/bundle.yaml` at line 11783, Make the v1 Kubebuilder markers for
username and password optional in the relevant Go API definitions, update their
stale descriptions, then regenerate all affected CRDs under deploy/crds/** with
controller-gen; do not edit the generated bundle.yaml manually.

Source: Learnings

- restrict token field to v1 only (revert all v1beta1 changes)
- short-circuit doesConfigDependOnNamespace when Token is set
- route credential loading through esutils referent validation

Signed-off-by: sumanpal <sumanpal198@gmail.com>
@sumanpal97
sumanpal97 force-pushed the feat/secretserver-token-auth branch from ba3706e to dbbab74 Compare July 10, 2026 18:29
…et access

Add a unit test proving loadConfigSecret refuses to resolve a secret from a
different namespace than the namespaced SecretStore, even when that secret
exists, exercising the esutils referent-validation guard in the
credential-loading path.

Signed-off-by: sumanpal <sumanpal198@gmail.com>
@sumanpal97

Copy link
Copy Markdown
Contributor Author

also, just to confirm, did you test your changes live against secretserver?

Not live , I don't have a Delinea tenant. I relied on the SDK's native token support, plus unit tests for the token path, refs, namespace dependency, and the cross-namespace referent guard.

@evrardj-roche

Copy link
Copy Markdown
Contributor

@sumanpal97 are you using secretserver? If not, why did you submit this? Just curious.

@sumanpal97

sumanpal97 commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

@sumanpal97 are you using secretserver? If not, why did you submit this? Just curious.

Hi @evrardj-roche , No I don't use Delinea myself — I picked up #3977 because it was an open 'good first issue' requesting token auth, and the SDK already supports it natively ('UserCredential.Token'). I can't test against a live tenant, so I covered it with unit tests.

@evrardj-roche

evrardj-roche commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@sumanpal97 you are helping a lot here, thank you! This already helps me understand a bit more about context.

Can you tell me more about that 'good first issue' ? We did not classify as 'good first issue', so I am wondering where does it come from.

I might look inquisitive, but I am eager to know the thinking behind it. And by answering this, you will help cover patterns that might be really helpful for the community.

For example, if a website is listing those issues as good first issue, i would rather know the criteria they use, and talk with them, so this way we don't arrive to a flurry of untested in real life (but tested in unit tests) contributions. The problem is unit tests only cover so much, and real life regressions are a pain. And those are generally not covered by unit tests, else we would not have this conversation :)

@alekc

alekc commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

uhm
image
XD

@evrardj-roche

evrardj-roche commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@alekc lol.

@sumanpal97 sorry for that question, you can ignore it ! ><

I will do one more round of review, I think I saw something worth changing to avoid issues in the future, but it starts to take shape! Sorry for the back and forth

@evrardj-roche
evrardj-roche dismissed their stale review July 15, 2026 16:48

let's do one more round with the updates!

@sumanpal97

Copy link
Copy Markdown
Contributor Author

@evrardj-roche No problem at all, and thanks for the follow-up. I appreciate the thorough review, happy to address whatever comes up in the next round.

@evrardj-roche

Copy link
Copy Markdown
Contributor

@sumanpal97 thanks for your understanding and your help! I ahave this in my backlog of reviews.

@evrardj-roche evrardj-roche left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have much to say anymore, that's good!

However, I would prefer avoiding any accidental footguns, and have proper validation from kubebuilder.

Can you adapt the SecretServerProvider kubebuilder annotations to be more strict and match the current comments, please?

Comment thread apis/externalsecrets/v1/secretsstore_secretserver_types.go
Add a kubebuilder XValidation rule on SecretServerProvider requiring either
token, or both username and password, so admission rejects no-auth and
half-configured stores. Clarify in the type comment that Token takes precedence
when set. Regenerate the affected CRDs.

Signed-off-by: Suman Pal <46846048+sumanpal97@users.noreply.github.com>
@sumanpal97
sumanpal97 requested a review from evrardj-roche July 16, 2026 12:43

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/crds/bases/external-secrets.io_secretstores.yaml`:
- Around line 5462-5465: Remove the provider-specific XValidation marker from
the SecretServerProvider struct in secretsstore_secretserver_types.go, leaving
runtime credential checks in provider.go unchanged. Regenerate the CRDs with
controller-gen so the generated external-secrets.io_secretstores.yaml no longer
contains the token/username/password CEL rule; do not edit the generated YAML
manually.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 252a092b-1492-4f00-a144-9792d659e1c2

📥 Commits

Reviewing files that changed from the base of the PR and between b0b8bb8 and 4f711df.

📒 Files selected for processing (4)
  • apis/externalsecrets/v1/secretsstore_secretserver_types.go
  • config/crds/bases/external-secrets.io_clustersecretstores.yaml
  • config/crds/bases/external-secrets.io_secretstores.yaml
  • deploy/crds/bundle.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
  • apis/externalsecrets/v1/secretsstore_secretserver_types.go
  • deploy/crds/bundle.yaml
  • config/crds/bases/external-secrets.io_clustersecretstores.yaml

Comment thread config/crds/bases/external-secrets.io_secretstores.yaml

@evrardj-roche evrardj-roche left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's the last set, @sumanpal97

Comment thread apis/externalsecrets/v1/secretsstore_secretserver_types.go
@evrardj-roche
evrardj-roche dismissed alekc’s stale review July 16, 2026 14:09

Code has changed since then

Add kubebuilder validation on SecretServerProviderRef so exactly one of value
or secretRef must be set (XValidation XOR), and value must be non-empty when
provided (MinLength=1). Applies to username, password, and token via the shared
type. Regenerate the affected CRDs.

Signed-off-by: Suman Pal <46846048+sumanpal97@users.noreply.github.com>
@github-actions github-actions Bot added size/l and removed size/m labels Jul 16, 2026
evrardj-roche
evrardj-roche previously approved these changes Jul 16, 2026
Signed-off-by: Suman Pal <46846048+sumanpal97@users.noreply.github.com>
@sonarqubecloud

Copy link
Copy Markdown

@sumanpal97
sumanpal97 requested a review from evrardj-roche July 16, 2026 17:52
@sumanpal97

Copy link
Copy Markdown
Contributor Author

@evrardj-roche Can you please help with the approval again.
check-diff was failing because docs/api/spec.md wasn't regenerated for the new token field. Regenerated and pushed — generated-doc update only, no logic changes. Should be green now.

@evrardj-roche evrardj-roche left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's do it

@evrardj-roche
evrardj-roche merged commit 69d1f6d into external-secrets:main Jul 17, 2026
33 checks passed
@sumanpal97

Copy link
Copy Markdown
Contributor Author

Thanks @evrardj-roche and @alekc for the welcoming and thorough reviews , a wonderful first open-source experience. Looking forward to contributing more! 🙌

ajgon pushed a commit to deedee-ops/home-ops that referenced this pull request Jul 18, 2026
…l-secrets (2.7.0 ➔ 2.8.0) (#364)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/external-secrets/charts/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.7.0` → `2.8.0` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (ghcr.io/external-secrets/charts/external-secrets)</summary>

### [`v2.8.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.8.0)

[Compare Source](external-secrets/external-secrets@v2.7.0...v2.8.0)

Image: `ghcr.io/external-secrets/external-secrets:v2.8.0`
Image: `ghcr.io/external-secrets/external-secrets:v2.8.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v2.8.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

##### What's Changed

##### General

- chore: release helm chart 2.7.0 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6529](external-secrets/external-secrets#6529)
- docs(barbican): correct find semantics and document property/extract by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6531](external-secrets/external-secrets#6531)
- docs(gcp): use external-secrets.io/v1 in SecretStore examples by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6563](external-secrets/external-secrets#6563)
- feat(generators): add GitLab deploy token generator by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6493](external-secrets/external-secrets#6493)
- fix(barbican): validate store config and fix SecretExists error message by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6534](external-secrets/external-secrets#6534)
- docs(beyondtrust): fix capability matrix and document decrypt/separator by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6535](external-secrets/external-secrets#6535)
- feat: Make SecondsToLive optional for Grafana generator by [@&#8203;jaruwat-panturat](https://github.com/jaruwat-panturat) in [#&#8203;6479](external-secrets/external-secrets#6479)
- docs: add missing generators to ClusterGenerator spec snippet by [@&#8203;jaruwat-panturat](https://github.com/jaruwat-panturat) in [#&#8203;6590](external-secrets/external-secrets#6590)
- docs(doppler): fix download format list and heading levels by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6559](external-secrets/external-secrets#6559)
- docs(fortanix): add to support matrix and tidy provider page by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6562](external-secrets/external-secrets#6562)
- docs(yandex): fix Lockbox referent cell and add Certificate Manager rows by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6585](external-secrets/external-secrets#6585)
- docs(volcengine): mark referent authentication as supported by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6584](external-secrets/external-secrets#6584)
- docs(senhasegura): mark deletion + referent in matrix and fix title by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6583](external-secrets/external-secrets#6583)
- docs(scaleway): mark referent auth in matrix and fix headings by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6581](external-secrets/external-secrets#6581)
- docs(pulumi): correct find/referent matrix cells and fix headings by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6578](external-secrets/external-secrets#6578)
- docs(previder): correct find/referent matrix cells and fix headings by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6577](external-secrets/external-secrets#6577)
- docs(1password): mark SDK find support in matrix and promote titles by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6568](external-secrets/external-secrets#6568)
- feat(charts): Add aggregateToAdmin toggle by [@&#8203;illrill](https://github.com/illrill) in [#&#8203;6586](external-secrets/external-secrets#6586)
- docs(providers): consolidate 11 conflicting provider-doc PRs by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6592](external-secrets/external-secrets#6592)
- feat(charts): add startupProbe support to webhook deployment by [@&#8203;alpcanaydin](https://github.com/alpcanaydin) in [#&#8203;6612](external-secrets/external-secrets#6612)
- feat(akeyless): support azure\_ad Workload Identity via serviceAccountRef by [@&#8203;baraka-akeyless](https://github.com/baraka-akeyless) in [#&#8203;6530](external-secrets/external-secrets#6530)
- docs(kubernetes): fix invalid tab indentation and heading levels by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6565](external-secrets/external-secrets#6565)
- docs(dvls): mark DeletionPolicy supported and fix page title by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6557](external-secrets/external-secrets#6557)
- docs(bitwarden): fix find behaviour, find-by-name rules, and admonitions by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6551](external-secrets/external-secrets#6551)
- docs(github): add to support matrix, fix auth field, tidy page by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6564](external-secrets/external-secrets#6564)
- docs: Improve explanations of pem\_chain by [@&#8203;evrardjp](https://github.com/evrardjp) in [#&#8203;6623](external-secrets/external-secrets#6623)
- feat: Make our stance regarding AI usage more explicit. by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;6621](external-secrets/external-secrets#6621)
- fix(barbican): treat find.name.regexp as a regexp, not an exact match by [@&#8203;arpitjain099](https://github.com/arpitjain099) in [#&#8203;6614](external-secrets/external-secrets#6614)
- chore: update go version 1.26.5 - Fix  CVE-2026-39822 by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6631](external-secrets/external-secrets#6631)
- ref(testing): change the e2e workflow to separate building stage from e2e stage (and free up resources) by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6634](external-secrets/external-secrets#6634)
- chore: updating ok-to-test to allow interim maintainers by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;6638](external-secrets/external-secrets#6638)
- fix(onepassword): support PushSecret IfNotExists by [@&#8203;civilizedBaboon](https://github.com/civilizedBaboon) in [#&#8203;6646](external-secrets/external-secrets#6646)
- fix(testing): check out PR head in fork e2e instead of main by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6647](external-secrets/external-secrets#6647)
- fix(secretserver): validate store and map fields correctly by [@&#8203;dbinger](https://github.com/dbinger) in [#&#8203;6616](external-secrets/external-secrets#6616)
- feat(charts): Add optional networkPolicy by [@&#8203;jcpunk](https://github.com/jcpunk) in [#&#8203;5779](external-secrets/external-secrets#5779)
- feat(akeyless): add SecretStore ignoreCache to bypass Gateway cache by [@&#8203;baraka-akeyless](https://github.com/baraka-akeyless) in [#&#8203;6507](external-secrets/external-secrets#6507)
- feat(provider): implement AWS Certificate Manager provider by [@&#8203;dsp0x4](https://github.com/dsp0x4) in [#&#8203;6117](external-secrets/external-secrets#6117)
- feat: expose more values for custom metadata for vault v2 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;6652](external-secrets/external-secrets#6652)
- clean: Remove duplicate code by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;6629](external-secrets/external-secrets#6629)
- feat: configurable leader election lease timings by [@&#8203;izz-linux](https://github.com/izz-linux) in [#&#8203;6644](external-secrets/external-secrets#6644)
- fix(akeyless): support dataFrom.extract.property for nested JSON by [@&#8203;baraka-akeyless](https://github.com/baraka-akeyless) in [#&#8203;6633](external-secrets/external-secrets#6633)
- feat(conjur): Certificate Auth support by [@&#8203;hdabrowski](https://github.com/hdabrowski) in [#&#8203;6393](external-secrets/external-secrets#6393)
- docs(aws): restore dropped access section and document missing fields by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6517](external-secrets/external-secrets#6517)
- feat(secretserver): support authentication via access token by [@&#8203;sumanpal97](https://github.com/sumanpal97) in [#&#8203;6597](external-secrets/external-secrets#6597)
- docs(secretserver): document authentication, key formats, property behavior, and limitations by [@&#8203;dbinger](https://github.com/dbinger) in [#&#8203;6619](external-secrets/external-secrets#6619)
- feat(release): Support reading values from kubernetes CRD by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6211](external-secrets/external-secrets#6211)
- clean: Standardize and friendly name for validations policies by [@&#8203;evrardj-roche](https://github.com/evrardj-roche) in [#&#8203;6630](external-secrets/external-secrets#6630)
- feat: add CreateOrMerge creation policy for ExternalSecrets by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6641](external-secrets/external-secrets#6641)
- feat(core): accept duration string for SecretStore refreshInterval by [@&#8203;alekc](https://github.com/alekc) in [#&#8203;6594](external-secrets/external-secrets#6594)
- fix(beyondtrust): validate store without panicking on API key auth by [@&#8203;emmayusufu](https://github.com/emmayusufu) in [#&#8203;6553](external-secrets/external-secrets#6553)
- fix(oracle): cache default WorkloadIdentity provider to prevent tcp port exhaustion by [@&#8203;Ashutosh-3601](https://github.com/Ashutosh-3601) in [#&#8203;6421](external-secrets/external-secrets#6421)

##### Dependencies

- chore(deps): bump golang from `3ad5730` to `3ad5730` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6538](external-secrets/external-secrets#6538)
- chore(deps): bump ubi9/ubi from `1b99266` to `37a1589` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6537](external-secrets/external-secrets#6537)
- chore(deps): bump golang from `5f68ec6` to `b305420` in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6539](external-secrets/external-secrets#6539)
- chore(deps): bump actions/setup-python from 6.2.0 to 6.3.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6540](external-secrets/external-secrets#6540)
- chore(deps): bump aws-actions/configure-aws-credentials from 6.2.0 to 6.2.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6542](external-secrets/external-secrets#6542)
- chore(deps): bump actions/attest-build-provenance from 4.1.0 to 4.1.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6543](external-secrets/external-secrets#6543)
- chore(deps): bump azure/setup-helm from 5.0.0 to 5.0.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6544](external-secrets/external-secrets#6544)
- chore(deps): bump actions/setup-go from 6.4.0 to 6.5.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6541](external-secrets/external-secrets#6541)
- chore(deps): bump actions/cache from 5.0.5 to 6.1.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6545](external-secrets/external-secrets#6545)
- chore(deps): bump golang from `3ad5730` to `3ad5730` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6600](external-secrets/external-secrets#6600)
- chore(deps): bump docker/setup-buildx-action from 4.1.0 to 4.2.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6606](external-secrets/external-secrets#6606)
- chore(deps): bump docker/setup-qemu-action from 4.1.0 to 4.2.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6603](external-secrets/external-secrets#6603)
- chore(deps): bump goreleaser/goreleaser-action from 7.2.2 to 7.2.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6607](external-secrets/external-secrets#6607)
- chore(deps): bump github/codeql-action/upload-sarif from 4.36.2 to 4.36.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6604](external-secrets/external-secrets#6604)
- chore(deps): bump github/codeql-action/init from 4.36.2 to 4.36.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6608](external-secrets/external-secrets#6608)
- chore(deps): bump github/codeql-action/analyze from 4.36.2 to 4.36.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6605](external-secrets/external-secrets#6605)
- chore(deps): bump docker/login-action from 4.2.0 to 4.4.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6602](external-secrets/external-secrets#6602)
- chore(deps): bump fossas/fossa-action from 1.9.0 to 2.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6601](external-secrets/external-secrets#6601)
- chore(deps): bump ubi9/ubi from `37a1589` to `8bf0e8f` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6599](external-secrets/external-secrets#6599)
- chore(deps): bump golang from 1.26.4 to 1.26.5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6636](external-secrets/external-secrets#6636)
- chore(deps): bump distroless/static from `3592aa8` to `d5f030c` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;6635](external-secrets/external-secrets#6635)

##### New Contributors

- [@&#8203;alpcanaydin](https://github.com/alpcanaydin) made their first contribution in [#&#8203;6612](external-secrets/external-secrets#6612)
- [@&#8203;baraka-akeyless](https://github.com/baraka-akeyless) made their first contribution in [#&#8203;6530](external-secrets/external-secrets#6530)
- [@&#8203;arpitjain099](https://github.com/arpitjain099) made their first contribution in [#&#8203;6614](external-secrets/external-secrets#6614)
- [@&#8203;civilizedBaboon](https://github.com/civilizedBaboon) made their first contribution in [#&#8203;6646](external-secrets/external-secrets#6646)
- [@&#8203;dbinger](https://github.com/dbinger) made their first contribution in [#&#8203;6616](external-secrets/external-secrets#6616)
- [@&#8203;dsp0x4](https://github.com/dsp0x4) made their first contribution in [#&#8203;6117](external-secrets/external-secrets#6117)
- [@&#8203;izz-linux](https://github.com/izz-linux) made their first contribution in [#&#8203;6644](external-secrets/external-secrets#6644)
- [@&#8203;hdabrowski](https://github.com/hdabrowski) made their first contribution in [#&#8203;6393](external-secrets/external-secrets#6393)
- [@&#8203;sumanpal97](https://github.com/sumanpal97) made their first contribution in [#&#8203;6597](external-secrets/external-secrets#6597)
- [@&#8203;emmayusufu](https://github.com/emmayusufu) made their first contribution in [#&#8203;6553](external-secrets/external-secrets#6553)
- [@&#8203;Ashutosh-3601](https://github.com/Ashutosh-3601) made their first contribution in [#&#8203;6421](external-secrets/external-secrets#6421)

**Full Changelog**: <external-secrets/external-secrets@v2.7.0...v2.8.0>

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/Warsaw)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNjUuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI2NS4yIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvbWlub3IiXX0=-->

Reviewed-on: https://git.ajgon.casa/deedee/mark13/pulls/364
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/documentation Issues / Pull Requests related to documentation area/secretserver kind/feature Categorizes issue or PR as related to a new feature. size/l

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

Delinea SecretServer: Login with API token

3 participants