chore(deps): update helm release external-secrets to v0.15.0 for prod env #222
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- main/external-secrets_talos_manifests_external-secrets_prod_manifest_main.yaml 2025-03-20 02:55:16.645121024 +0000
+++ pr/external-secrets_talos_manifests_external-secrets_prod_manifest_pr.yaml 2025-03-20 02:55:14.653115000 +0000
@@ -1,68 +1,68 @@
---
# Source: external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-cert-controller
namespace: github-runner
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/charts/external-secrets/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets
namespace: github-runner
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-webhook
namespace: github-runner
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
---
# Source: external-secrets/templates/clusterSecretStore.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: eso-auth
namespace: external-secrets
---
# Source: external-secrets/charts/external-secrets/templates/webhook-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: external-secrets-webhook
namespace: github-runner
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
external-secrets.io/component: webhook
---
# Source: external-secrets/templates/clusterSecretStore.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: eso-auth
namespace: external-secrets
@@ -947,21 +947,23 @@
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
namespaces:
- description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+ description: |-
+ Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+ Deprecated: Use NamespaceSelectors instead.
items:
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
type: array
refreshTime:
description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
type: string
required:
@@ -1531,42 +1533,70 @@
- installID
type: object
grafanaSpec:
description: GrafanaSpec controls the behavior of the grafana generator.
properties:
auth:
description: |-
Auth is the authentication configuration to authenticate
against the Grafana instance.
properties:
+ basic:
+ description: |-
+ Basic auth credentials used to authenticate against the Grafana instance.
+ Note: you need a token which has elevated permissions to create service accounts.
+ See here for the documentation on basic roles offered by Grafana:
+ https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
+ properties:
+ password:
+ description: A basic auth password used to authenticate against the Grafana instance.
+ properties:
+ key:
+ description: The key where the token is found.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ type: object
+ username:
+ description: A basic auth username used to authenticate against the Grafana instance.
+ type: string
+ required:
+ - password
+ - username
+ type: object
token:
description: |-
A service account token used to authenticate against the Grafana instance.
Note: you need a token which has elevated permissions to create service accounts.
See here for the documentation on basic roles offered by Grafana:
https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
properties:
key:
description: The key where the token is found.
maxLength: 253
minLength: 1
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the Secret resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
- required:
- - token
type: object
serviceAccount:
description: |-
ServiceAccount is the configuration for the service account that
is supposed to be generated by the generator.
properties:
name:
description: Name is the name of the service account that will be created by ESO.
type: string
role:
@@ -2761,20 +2791,548 @@
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: external-secrets-webhook
namespace: "github-runner"
path: /convert
---
+# Source: external-secrets/charts/external-secrets/templates/crds/clusterpushsecret.yaml
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.17.2
+ labels:
+ external-secrets.io/component: controller
+ name: clusterpushsecrets.external-secrets.io
+spec:
+ group: external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ kind: ClusterPushSecret
+ listKind: ClusterPushSecretList
+ plural: clusterpushsecrets
+ singular: clusterpushsecret
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ namespaceSelectors:
+ description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
+ items:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ pushSecretMetadata:
+ description: The metadata of the external secrets to be created
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ pushSecretName:
+ description: |-
+ The name of the push secrets to be created.
+ Defaults to the name of the ClusterPushSecret
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ pushSecretSpec:
+ description: PushSecretSpec defines what to do with the secrets.
+ properties:
+ data:
+ description: Secret Data that should be pushed to providers
+ items:
+ properties:
+ conversionStrategy:
+ default: None
+ description: Used to define a conversion Strategy for the secret keys
+ enum:
+ - None
+ - ReverseUnicode
+ type: string
+ match:
+ description: Match a given Secret Key to be pushed to the provider.
+ properties:
+ remoteRef:
+ description: Remote Refs to push to providers.
+ properties:
+ property:
+ description: Name of the property in the resulting secret
+ type: string
+ remoteKey:
+ description: Name of the resulting provider secret.
+ type: string
+ required:
+ - remoteKey
+ type: object
+ secretKey:
+ description: Secret Key to be pushed
+ type: string
+ required:
+ - remoteRef
+ type: object
+ metadata:
+ description: |-
+ Metadata is metadata attached to the secret.
+ The structure of metadata is provider specific, please look it up in the provider documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - match
+ type: object
+ type: array
+ deletionPolicy:
+ default: None
+ description: Deletion Policy to handle Secrets in the provider.
+ enum:
+ - Delete
+ - None
+ type: string
+ refreshInterval:
+ default: 1h
+ description: The Interval to which External Secrets will try to push a secret definition
+ type: string
+ secretStoreRefs:
+ items:
+ properties:
+ kind:
+ default: SecretStore
+ description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ enum:
+ - SecretStore
+ - ClusterSecretStore
+ type: string
+ labelSelector:
+ description: Optionally, sync to secret stores with label selector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: Optionally, sync to the SecretStore of the given name
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ type: object
+ type: array
+ selector:
+ description: The Secret Selector (k8s source) for the Push Secret
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ generatorRef:
+ description: Point to a generator to create a Secret.
+ properties:
+ apiVersion:
+ default: generators.external-secrets.io/v1alpha1
+ description: Specify the apiVersion of the generator resource
+ type: string
+ kind:
+ description: Specify the Kind of the generator resource
+ enum:
+ - ACRAccessToken
+ - ClusterGenerator
+ - ECRAuthorizationToken
+ - Fake
+ - GCRAccessToken
+ - GithubAccessToken
+ - QuayAccessToken
+ - Password
+ - STSSessionToken
+ - UUID
+ - VaultDynamicSecret
+ - Webhook
+ - Grafana
+ type: string
+ name:
+ description: Specify the name of the generator resource
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ secret:
+ description: Select a Secret to Push.
+ properties:
+ name:
+ description: |-
+ Name of the Secret.
+ The Secret must exist in the same namespace as the PushSecret manifest.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ selector:
+ description: Selector chooses secrets using a labelSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: object
+ template:
+ description: Template defines a blueprint for the created Secret resource.
+ properties:
+ data:
+ additionalProperties:
+ type: string
+ type: object
+ engineVersion:
+ default: v2
+ description: |-
+ EngineVersion specifies the template engine version
+ that should be used to compile/execute the
+ template specified in .data and .templateFrom[].
+ enum:
+ - v1
+ - v2
+ type: string
+ mergePolicy:
+ default: Replace
+ enum:
+ - Replace
+ - Merge
+ type: string
+ metadata:
+ description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ templateFrom:
+ items:
+ properties:
+ configMap:
+ properties:
+ items:
+ description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
+ items:
+ properties:
+ key:
+ description: A key in the ConfigMap/Secret
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ description: The name of the ConfigMap/Secret resource
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ literal:
+ type: string
+ secret:
+ properties:
+ items:
+ description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
+ items:
+ properties:
+ key:
+ description: A key in the ConfigMap/Secret
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ description: The name of the ConfigMap/Secret resource
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ target:
+ default: Data
+ enum:
+ - Data
+ - Annotations
+ - Labels
+ type: string
+ type: object
+ type: array
+ type:
+ type: string
+ type: object
+ updatePolicy:
+ default: Replace
+ description: UpdatePolicy to handle Secrets in the provider.
+ enum:
+ - Replace
+ - IfNotExists
+ type: string
+ required:
+ - secretStoreRefs
+ - selector
+ type: object
+ refreshTime:
+ description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
+ type: string
+ required:
+ - pushSecretSpec
+ type: object
+ status:
+ properties:
+ conditions:
+ items:
+ description: PushSecretStatusCondition indicates the status of the PushSecret.
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ description: PushSecretConditionType indicates the condition of the PushSecret.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ failedNamespaces:
+ description: Failed namespaces are the namespaces that failed to apply an PushSecret
+ items:
+ description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
+ properties:
+ namespace:
+ description: Namespace is the namespace that failed when trying to apply an PushSecret
+ type: string
+ reason:
+ description: Reason is why the PushSecret failed to apply to the namespace
+ type: string
+ required:
+ - namespace
+ type: object
+ type: array
+ provisionedNamespaces:
+ description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
+ items:
+ type: string
+ type: array
+ pushSecretName:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: external-secrets-webhook
+ namespace: "github-runner"
+ path: /convert
+---
# Source: external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.2
labels:
external-secrets.io/component: controller
name: clustersecretstores.external-secrets.io
spec:
@@ -5756,20 +6314,92 @@
description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
type: string
username:
description: UserName should be the user ID on the chef server
type: string
required:
- auth
- serverUrl
- username
type: object
+ cloudrusm:
+ description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
+ properties:
+ auth:
+ description: CSMAuth contains a secretRef for credentials.
+ properties:
+ secretRef:
+ description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID is the project, which the secrets are stored in.
+ type: string
+ required:
+ - auth
+ type: object
conjur:
description: Conjur configures this store to sync secrets using conjur provider
properties:
auth:
properties:
apikey:
properties:
account:
type: string
apiKeyRef:
@@ -10245,42 +10875,70 @@
metadata:
type: object
spec:
description: GrafanaSpec controls the behavior of the grafana generator.
properties:
auth:
description: |-
Auth is the authentication configuration to authenticate
against the Grafana instance.
properties:
+ basic:
+ description: |-
+ Basic auth credentials used to authenticate against the Grafana instance.
+ Note: you need a token which has elevated permissions to create service accounts.
+ See here for the documentation on basic roles offered by Grafana:
+ https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
+ properties:
+ password:
+ description: A basic auth password used to authenticate against the Grafana instance.
+ properties:
+ key:
+ description: The key where the token is found.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ type: object
+ username:
+ description: A basic auth username used to authenticate against the Grafana instance.
+ type: string
+ required:
+ - password
+ - username
+ type: object
token:
description: |-
A service account token used to authenticate against the Grafana instance.
Note: you need a token which has elevated permissions to create service accounts.
See here for the documentation on basic roles offered by Grafana:
https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
properties:
key:
description: The key where the token is found.
maxLength: 253
minLength: 1
pattern: ^[-._a-zA-Z0-9]+$
type: string
name:
description: The name of the Secret resource being referred to.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: object
- required:
- - token
type: object
serviceAccount:
description: |-
ServiceAccount is the configuration for the service account that
is supposed to be generated by the generator.
properties:
name:
description: Name is the name of the service account that will be created by ESO.
type: string
role:
@@ -10626,22 +11284,64 @@
description: Select a Secret to Push.
properties:
name:
description: |-
Name of the Secret.
The Secret must exist in the same namespace as the PushSecret manifest.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
- required:
- - name
+ selector:
+ description: Selector chooses secrets using a labelSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
type: object
type: object
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
@@ -13947,20 +14647,92 @@
description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
type: string
username:
description: UserName should be the user ID on the chef server
type: string
required:
- auth
- serverUrl
- username
type: object
+ cloudrusm:
+ description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
+ properties:
+ auth:
+ description: CSMAuth contains a secretRef for credentials.
+ properties:
+ secretRef:
+ description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: |-
+ A key in the referenced Secret.
+ Some instances of this field may be defaulted, in others it may be required.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[-._a-zA-Z0-9]+$
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ maxLength: 253
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ namespace:
+ description: |-
+ The namespace of the Secret resource being referred to.
+ Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID is the project, which the secrets are stored in.
+ type: string
+ required:
+ - auth
+ type: object
conjur:
description: Conjur configures this store to sync secrets using conjur provider
properties:
auth:
properties:
apikey:
properties:
account:
type: string
apiKeyRef:
@@ -18120,24 +18892,24 @@
name: external-secrets-webhook
namespace: "github-runner"
path: /convert
---
# Source: external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-cert-controller
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- "customresourcedefinitions"
verbs:
- "get"
- "list"
- "watch"
@@ -18195,34 +18967,35 @@
- "create"
- "update"
- "patch"
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-controller
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "secretstores"
- "clustersecretstores"
- "externalsecrets"
- "clusterexternalsecrets"
- "pushsecrets"
+ - "clusterpushsecrets"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "externalsecrets/status"
- "externalsecrets/finalizers"
@@ -18231,20 +19004,23 @@
- "secretstores/finalizers"
- "clustersecretstores"
- "clustersecretstores/status"
- "clustersecretstores/finalizers"
- "clusterexternalsecrets"
- "clusterexternalsecrets/status"
- "clusterexternalsecrets/finalizers"
- "pushsecrets"
- "pushsecrets/status"
- "pushsecrets/finalizers"
+ - "clusterpushsecrets"
+ - "clusterpushsecrets/status"
+ - "clusterpushsecrets/finalizers"
verbs:
- "get"
- "update"
- "patch"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "generatorstates"
verbs:
- "get"
@@ -18318,43 +19094,52 @@
- "create"
- "patch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
verbs:
- "create"
- "update"
- "delete"
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "pushsecrets"
+ verbs:
+ - "create"
+ - "update"
+ - "delete"
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-view
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
- "pushsecrets"
+ - "clusterpushsecrets"
verbs:
- "get"
- "watch"
- "list"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "clustergenerators"
- "ecrauthorizationtokens"
@@ -18371,35 +19156,36 @@
- "get"
- "watch"
- "list"
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-edit
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
- "pushsecrets"
+ - "clusterpushsecrets"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
- "update"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
@@ -18421,65 +19207,66 @@
- "patch"
- "update"
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-servicebindings
labels:
servicebinding.io/controller: "true"
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
+ - "pushsecrets"
verbs:
- "get"
- "list"
- "watch"
---
# Source: external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-secrets-cert-controller
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-secrets-cert-controller
subjects:
- name: external-secrets-cert-controller
namespace: github-runner
kind: ServiceAccount
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-secrets-controller
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-secrets-controller
subjects:
- name: external-secrets
namespace: github-runner
kind: ServiceAccount
---
@@ -18500,24 +19287,24 @@
name: certmanager-auth
namespace: cert-manager
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: external-secrets-leaderelection
namespace: github-runner
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
- ""
resources:
- "configmaps"
resourceNames:
- "external-secrets-controller"
verbs:
- "get"
@@ -18539,45 +19326,45 @@
- "update"
- "patch"
---
# Source: external-secrets/charts/external-secrets/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: external-secrets-leaderelection
namespace: github-runner
labels:
- helm.sh/chart: external-secrets-0.14.4
+ helm.sh/chart: external-secrets-0.15.0
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
- app.kubernetes.io/version: "v0.14.4"
+ app.kubernetes.io/version: "v0.15.0"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: external-secrets-lead
[Truncated: Diff output was too large]
|
ixxeL2097
force-pushed
the
renovate/helm/external-secrets-prod
branch
from
10e4dd6 to
fc1287a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.14.4->0.15.0Release Notes
external-secrets/external-secrets (external-secrets)
v0.15.0Compare Source
Image:
ghcr.io/external-secrets/external-secrets:v0.15.0Image:
ghcr.io/external-secrets/external-secrets:v0.15.0-ubiImage:
ghcr.io/external-secrets/external-secrets:v0.15.0-ubi-boringsslWhat's Changed
ecbeb81to5993454by @dependabot in https://github.com/external-secrets/external-secrets/pull/45533f2b64eto95ea148by @dependabot in https://github.com/external-secrets/external-secrets/pull/4554New Contributors
Full Changelog: external-secrets/external-secrets@v0.14.4...v0.15.0
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.