chore(deps): update helm release external-secrets to v0.16.2 #48

public-glueops-renovatebot · 2025-04-14T17:35:47Z

This PR contains the following updates:

Package	Update	Change
external-secrets	minor	`0.14.4` -> `0.16.2`

Release Notes

external-secrets/external-secrets (external-secrets)

`v0.16.2`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.2
Image: ghcr.io/external-secrets/external-secrets:v0.16.2-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.16.2-ubi-boringssl

BREAKING CHANGE

When updating to v0.16.2, if you leverage Generators with refreshInterval: 0 or any refreshPolicy to not update it, this version WILL FORCE THAT VALUE TO BE UPDATED.

Apologies to the user base, we did not expect this breaking change behavior out of these contributions. 🙇 🙏

Image: ghcr.io/external-secrets/external-secrets:v0.16.1
Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi-boringssl

What's Changed

chore: bump helm to 0.16.0 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4660
fix: remove crds from bundle by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4664
fix: applying several pipeline fixes by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4667
fix: pipeline permissions by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4669
fix: publish permissions by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4670
fix: prevent is-fork by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4671
fix: publish workflow by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4672
fix: conversion setting on bundle crds by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4673
fix: remove the conversion hook completely by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4675

Full Changelog: external-secrets/external-secrets@v0.16.0...v0.16.1

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@&#8203;=="v1alpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]'

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed.
Double check your CRD installation process finished successfully

`v0.16.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.0
Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi-boringssl

!!! warning
it is known v0.16.0 will not be an easy upgrade if you're not consuming from our official sources via helm.
we are improving the upgrade path for users depending on kustomize in 0.16.1. Please be patient :)

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@&#8203;=="valpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]'

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed.
Double check your CRD installation process finished successfully

spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

Use 0.16.1 as opposed to 0.16.0 on your installation path. That should be fixed on this release

My issue is not here What do I do?

Add a message to https://github.com/external-secrets/external-secrets/issues/4662

BREAKING CHANGES

This release introduces quite a few breaking changes, including:

Removal of Conversion Webhooks and SecretStore/v1alpha1, ExternalSecret/v1alpha1 and their cluster counterparts
Promotion of ExternalSecret/v1 and SecretStore/v1 and their cluster counterparts
Removal of v1 templating engine
Removal of ValueMaps from Fake Secret Store

if you have any issues during your upgrade, please check https://github.com/external-secrets/external-secrets/issues/4662

What's Changed

chore: bump 0.15.1 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4599
chore(deps): bump distroless/static from 95ea148 to 3d0f463 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4602
chore(deps): bump actions/setup-python from 5.4.0 to 5.5.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4603
chore(deps): bump crazy-max/ghaction-import-gpg from 6.2.0 to 6.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4605
chore(deps): bump goreleaser/goreleaser-action from 6.2.1 to 6.3.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4606
chore(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4607
chore(deps): bump mkdocs-material from 9.6.9 to 9.6.10 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4608
remove days from refreshInterval docs by @lmcewen9 in https://github.com/external-secrets/external-secrets/pull/4601
feat: Add AWSProvider.prefix to aws secrets manager by @justinwalz in https://github.com/external-secrets/external-secrets/pull/4612
feat(aws): support for aws tags by @ivankatliarchuk in https://github.com/external-secrets/external-secrets/pull/4538
docs: remove OLM installation and release docs by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4617
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4609
chore(deps): bump golang from 1.24.1 to 1.24.2 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4618
chore(deps): bump termcolor from 2.5.0 to 3.0.1 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4619
chore(deps): bump mkdocs-material from 9.6.10 to 9.6.11 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4620
chore(deps): bump golang from 1.24.1-bookworm to 1.24.2-bookworm in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4621
fix(gcp): makes workload identity parameters optional by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4622
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4624
feat: check-diff on update deps by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4632
docs: fix pento website url in the docs by @pragmaticivan in https://github.com/external-secrets/external-secrets/pull/4639
Support annotations on ValidatingWebhookConfigurations in order to su… by @davidkarlsen in https://github.com/external-secrets/external-secrets/pull/4638
fix: controller-options by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4637
fix: failure on github deprecation use of status checks by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4640
fix: replace error check with ok check by @iurisevero in https://github.com/external-secrets/external-secrets/pull/4636
feat: add refreshPolicy field to ExternalSecret for enhanced synchronization control by @Sn0rt in https://github.com/external-secrets/external-secrets/pull/4594
fix: enhancing security for new workflow by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4641
chore(deps): bump golang from 75e6700 to 00eccd4 in /e2e by @dependabot in https://github.com/external-secrets/external-secrets/pull/4644
chore(deps): bump golang from 7772cb5 to 7772cb5 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4649
chore(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4645
chore(deps): bump markdown from 3.7 to 3.8 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4646
chore(deps): bump urllib3 from 2.3.0 to 2.4.0 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4647
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4651
chore: bump go to 1.24.2 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4652
chore: promote v1 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4635
fix: revert main to 0.15.1 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4657
fix: restore 0.16.0 by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4659

New Contributors

@lmcewen9 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4601
@justinwalz made their first contribution in https://github.com/external-secrets/external-secrets/pull/4612
@ivankatliarchuk made their first contribution in https://github.com/external-secrets/external-secrets/pull/4538
@pragmaticivan made their first contribution in https://github.com/external-secrets/external-secrets/pull/4639
@davidkarlsen made their first contribution in https://github.com/external-secrets/external-secrets/pull/4638

Full Changelog: external-secrets/external-secrets@v0.15.1...v0.16.0

`v0.15.1`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.15.1
Image: ghcr.io/external-secrets/external-secrets:v0.15.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.15.1-ubi-boringssl

`v0.15.0`

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.15.0
Image: ghcr.io/external-secrets/external-secrets:v0.15.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.15.0-ubi-boringssl

What's Changed

chore: update helm charts to v0.14.4 by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4531
Fix certificate revisionHistoryLimit schema by @Aransh in https://github.com/external-secrets/external-secrets/pull/4534
Improve Grafana generator integration with in-cluster Grafana by @solidDoWant in https://github.com/external-secrets/external-secrets/pull/4519
feat: introduce codeql scan for code sections by @Setland34 in https://github.com/external-secrets/external-secrets/pull/4198
feat: add metadata setting to encode secrets as decoded values by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4535
Update full-pushsecret.yaml by @Eitan1112 in https://github.com/external-secrets/external-secrets/pull/4547
chore(deps): bump mkdocs-material from 9.6.7 to 9.6.8 in /hack/api-docs by @dependabot in https://github.com/external-secrets/external-secrets/pull/4555
chore(deps): bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4550
chore(deps): bump docker/login-action from 3.3.0 to 3.4.0 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4551
chore(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4552
fix: skip none-existing keys by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4517
chore(deps): bump ubi8/ubi from ecbeb81 to 5993454 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4553
fix: define top level permissions and fix token scope by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4543
Fix Grafana generator not passing desired SA role to creation request by @solidDoWant in https://github.com/external-secrets/external-secrets/pull/4533
chore(deps): bump distroless/static from 3f2b64e to 95ea148 by @dependabot in https://github.com/external-secrets/external-secrets/pull/4554
feat: non standard templating delimiters by @gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4558
chore: update dependencies by @eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4556
feat: add cloud.ru secret manager support by @default23 in https://github.com/external-secrets/external-secrets/pull/3716
fix: check if secret is being deleted during fetch by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4562
feat: cluster push secret with pushing all secrets from a namespace by @Skarlso in https://github.com/external-secrets/external-secrets/pull/4162

New Contributors

@solidDoWant made their first contribution in https://github.com/external-secrets/external-secrets/pull/4519
@Setland34 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4198
@Eitan1112 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4547
@default23 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3716

Full Changelog: external-secrets/external-secrets@v0.14.4...v0.15.0

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

public-glueops-renovatebot bot added the auto-update label Apr 14, 2025

github-actions bot added include-in-release-notes patch labels Apr 14, 2025

public-glueops-renovatebot bot changed the title ~~chore(deps): update helm release external-secrets to v0.16.0~~ chore(deps): update helm release external-secrets to v0.16.1 Apr 16, 2025

public-glueops-renovatebot bot force-pushed the renovate/external-secrets-0.16.x branch from 6d51f22 to 0a19820 Compare April 16, 2025 10:50

public-glueops-renovatebot bot changed the title ~~chore(deps): update helm release external-secrets to v0.16.1~~ chore(deps): update helm release external-secrets to v0.16.2 May 7, 2025

public-glueops-renovatebot bot force-pushed the renovate/external-secrets-0.16.x branch from 3e1fb38 to cd86c05 Compare May 7, 2025 12:46

chore(deps): update helm release external-secrets to v0.16.2

05633bf

public-glueops-renovatebot bot force-pushed the renovate/external-secrets-0.16.x branch from 34af5e7 to 05633bf Compare May 16, 2025 15:50

docs: automated helm-docs action

c221abf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update helm release external-secrets to v0.16.2 #48

chore(deps): update helm release external-secrets to v0.16.2 #48

Uh oh!

public-glueops-renovatebot bot commented Apr 14, 2025 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): update helm release external-secrets to v0.16.2 #48

Are you sure you want to change the base?

chore(deps): update helm release external-secrets to v0.16.2 #48

Uh oh!

Conversation

public-glueops-renovatebot bot commented Apr 14, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v0.16.2

BREAKING CHANGE

What's Changed

New Contributors

v0.16.1

What's Changed

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Upgrading

CRDs as part of external-secrets installation

CRDs installed separately

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

v0.16.0

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Upgrading

CRDs as part of external-secrets installation

CRDs installed separately

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

spec.conversion.webhookClientConfig: Forbidden: should not be set when strategy is not set to Webhook

My issue is not here What do I do?

BREAKING CHANGES

What's Changed

New Contributors

v0.15.1

v0.15.0

What's Changed

New Contributors

Configuration

Uh oh!

Uh oh!

public-glueops-renovatebot bot commented Apr 14, 2025 •

edited

Loading

`v0.16.2`

`v0.16.1`

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

`v0.16.0`

Make sure you are not using any `v1alpha1` resources across all of your infrastructure.

Make sure there are no storedVersions on v1alpha1 for `externalsecrets`, `clusterexternalsecrets`, `secretstores` and `clustersecretstores` crds:

`v0.15.1`

`v0.15.0`