Skip to content

chore: update external secrets to 2.4.0#3187

Merged
j-zimnowoda merged 11 commits into
mainfrom
ci-update-external-secrets-to-2.4.0
Apr 29, 2026
Merged

chore: update external secrets to 2.4.0#3187
j-zimnowoda merged 11 commits into
mainfrom
ci-update-external-secrets-to-2.4.0

Conversation

@merll
Copy link
Copy Markdown
Collaborator

@merll merll commented Apr 28, 2026
edited
Loading

📌 Summary

This PR upgrades the External Secrets Operator to version 2.4.0. This includes the following required changes:

  • The resource versions changed to v1.
  • The ExternalSecret resource no longer accepts null in the data section, and validation also rejects an empty list. Therefore, values that depending on the configuration do not rely on shared resources (Alertmanager), are rendered as secrets directly.

🔍 Reviewer Notes

🧹 Checklist

  • Code is readable, maintainable, and robust.
  • Unit tests added/updated

@svcAPLBot
Copy link
Copy Markdown
Contributor

svcAPLBot commented Apr 28, 2026
edited
Loading

Comparison of Helm chart templating output:

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/apl-gitea-operator/apl-gitea-operator-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/apl-harbor-operator/apl-harbor-operator-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/apl-keycloak-operator/apl-keycloak-operator-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/argocd/argocd-repo-creds-gitea-internal
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/argocd/argocd-repo-creds-gitea
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/argocd/argocd-redis-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/argocd/argocd-oidc-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/custom-ca
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/external-dns
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# New file added: external-secrets/templates/cert-controller-deployment.yaml
# New file added: external-secrets/templates/cert-controller-rbac.yaml
# New file added: external-secrets/templates/cert-controller-serviceaccount.yaml
# Old file deleted: external-secrets/templates/clusterrole.yaml
# external-secrets/templates/deployment.yaml

@@ spec @@
! + one map entry added:
+ revisionHistoryLimit: 10

@@ spec.template.metadata.labels @@
! + three map entries added:
+ helm.sh/chart: external-secrets-2.4.0
+ app.kubernetes.io/version: v2.4.0
+ app.kubernetes.io/managed-by: Helm

@@ spec.template.spec @@
! + three map entries added:
+ automountServiceAccountToken: true
+ hostNetwork: false
+ dnsPolicy: ClusterFirst

@@ spec.template.spec.containers.external-secrets @@
! + one map entry added:
+ securityContext:
+   allowPrivilegeEscalation: false
+   capabilities:
+     drop:
+     - ALL
+   readOnlyRootFilesystem: true
+   runAsNonRoot: true
+   runAsUser: 1000
+   seccompProfile:
+     type: RuntimeDefault

@@ spec.template.spec.containers.external-secrets.image @@
! ± value change
- ghcr.io/external-secrets/external-secrets:v0.14.3
+ ghcr.io/external-secrets/external-secrets:v2.4.0

@@ spec.template.spec.containers.external-secrets.args @@
! + five list entries added:
+ - "--enable-cluster-external-secret-reconciler=false"
+ - "--enable-cluster-push-secret-reconciler=false"
+ - "--enable-push-secret-reconciler=false"
+ - "--loglevel=info"
+ - "--zap-time-encoding=epoch"

# New file added: external-secrets/templates/rbac.yaml
# external-secrets/templates/serviceaccount.yaml

# New file added: external-secrets/templates/validatingwebhook.yaml
# New file added: external-secrets/templates/webhook-deployment.yaml
# New file added: external-secrets/templates/webhook-secret.yaml
# New file added: external-secrets/templates/webhook-service.yaml
# New file added: external-secrets/templates/webhook-serviceaccount.yaml
# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ClusterSecretStore/core-secrets-store
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/gitea-smtp-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/linode-creds
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/gitea-admin-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-registry-credentials
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/registry-storage-credentials
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/linode-creds
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-registry-http
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-jobservice-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-core-xsrf-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-core-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-secret-key
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/harbor-admin-password
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/oauth2-proxy-client-access
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/oauth2-proxy-redis-password
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/linode-creds
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/keycloak/keycloak-initial-admin
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/mlpipeline-obj-artifact
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/kfp-mysql-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/reverse-proxy-auth-config
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/loki-s3-linode-credentials
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/monitoring/alertmanager-platform-config
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/prometheus-remote-write-basic-auth
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/monitoring/grafana-loki-datasource-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/monitoring/grafana-oidc-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/monitoring/grafana-admin-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# rabbitmq-cluster-operator/templates/messaging-topology-operator/validating-webhook-configuration.yaml

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-demo/alertmanager-team-demo-config
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-demo/grafana-loki-datasource-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-demo/grafana-oidc-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-demo/team-demo-grafana-admin
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

# raw/templates/resources.yaml

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-dev/grafana-loki-datasource-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-dev/grafana-oidc-secret
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ apiVersion @@
# external-secrets.io/v1/ExternalSecret/team-dev/team-dev-grafana-admin
! ± value change
- external-secrets.io/v1beta1
+ external-secrets.io/v1

@@ (root level) @@
# external-secrets.io/v1beta1/ExternalSecret/team-dev/alertmanager-team-dev-config
! - one document removed:
- ---
- # Source: raw/templates/resources.yaml
- apiVersion: external-secrets.io/v1beta1
- kind: ExternalSecret
- metadata:
-   name: alertmanager-team-dev-config
-   namespace: team-dev
-   labels:
-     app: raw
-     app.kubernetes.io/instance: team-secrets-dev
-     app.kubernetes.io/managed-by: Helm
-     app.kubernetes.io/name: raw
-     app.kubernetes.io/part-of: otomi
-     app.kubernetes.io/version: 0.2.3
-     helm.sh/chart: raw-0.2.3
- spec:
-   data: null
-   refreshInterval: 1h
-   secretStoreRef:
-     name: core-secrets-store
-     kind: ClusterSecretStore
-   target:
-     name: alertmanager-team-dev-config
-     creationPolicy: Owner
-     template:
-       type: Opaque
-       data:
-         alertmanager.yaml: |
-           
-           global:
-           route:
-             receiver: "null"
-             group_by: [alertname]
-             group_interval: 5m
-             repeat_interval: 3h
-             routes:
-               - matchers:
-                   - alertname="Watchdog"
-                 receiver: "null"
-               - matchers:
-                   - alertname="CPUThrottlingHigh"
-                   - namespace="team-dev"
-                 receiver: "null"
-               - matchers:
-                   - severity="critical"
-                   - namespace="team-dev"
-                 receiver: "null"
-           receivers:
-             - name: "null"

@@ (root level) @@
# v1/Secret/team-dev/alertmanager-team-dev-config
! + one document added:
+ ---
+ type: Opaque
+ # Source: raw/templates/resources.yaml
+ apiVersion: v1
+ kind: Secret
+ data:
+   alertmanager.yaml: CnJvdXRlOgogIHJlY2VpdmVyOiAibnVsbCIKICBncm91cF9ieTogW2FsZXJ0bmFtZV0KICBncm91cF9pbnRlcnZhbDogNW0KICByZXBlYXRfaW50ZXJ2YWw6IDNoCiAgcm91dGVzOgogICAgLSBtYXRjaGVyczoKICAgICAgICAtIGFsZXJ0bmFtZT0iV2F0Y2hkb2ciCiAgICAgIHJlY2VpdmVyOiAibnVsbCIKICAgIC0gbWF0Y2hlcnM6CiAgICAgICAgLSBhbGVydG5hbWU9IkNQVVRocm90dGxpbmdIaWdoIgogICAgICAgIC0gbmFtZXNwYWNlPSJ0ZWFtLWRldiIKICAgICAgcmVjZWl2ZXI6ICJudWxsIgogICAgLSBtYXRjaGVyczoKICAgICAgICAtIHNldmVyaXR5PSJjcml0aWNhbCIKICAgICAgICAtIG5hbWVzcGFjZT0idGVhbS1kZXYiCiAgICAgIHJlY2VpdmVyOiAibnVsbCIKcmVjZWl2ZXJzOgogIC0gbmFtZTogIm51bGwiCg==
+ metadata:
+   name: alertmanager-team-dev-config
+   namespace: team-dev
+   labels:
+     app: raw
+     app.kubernetes.io/instance: team-secrets-dev
+     app.kubernetes.io/managed-by: Helm
+     app.kubernetes.io/name: raw
+     app.kubernetes.io/part-of: otomi
+     app.kubernetes.io/version: 0.2.3
+     helm.sh/chart: raw-0.2.3

# values-repo.yaml

@j-zimnowoda j-zimnowoda self-assigned this Apr 29, 2026
j-zimnowoda
j-zimnowoda reviewed Apr 29, 2026
View reviewed changes
Comment thread values/team-secrets/team-secrets-raw.gotmpl Outdated
namespace: team-{{ $teamId }}
type: Opaque
data:
alertmanager.yaml: |
Copy link
Copy Markdown
Contributor

@j-zimnowoda j-zimnowoda Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it be base64 encoded ?

Copy link
Copy Markdown
Collaborator Author

@merll merll Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that is updated now.

Copy link
Copy Markdown
Contributor

@j-zimnowoda j-zimnowoda Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@j-zimnowoda j-zimnowoda merged commit 8cc209e into main Apr 29, 2026
14 checks passed
@j-zimnowoda j-zimnowoda deleted the ci-update-external-secrets-to-2.4.0 branch April 29, 2026 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@j-zimnowoda j-zimnowoda j-zimnowoda approved these changes

@ferruhcihan ferruhcihan Awaiting requested review from ferruhcihan ferruhcihan is a code owner

@CasLubbers CasLubbers Awaiting requested review from CasLubbers CasLubbers is a code owner

@Ani1357 Ani1357 Awaiting requested review from Ani1357 Ani1357 is a code owner

Assignees

@j-zimnowoda j-zimnowoda

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@merll @svcAPLBot @j-zimnowoda