Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(helm): update chart external-secrets to 0.12.1 #371

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(helm): update chart external-secrets to 0.12.1 #371

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Sep 14, 2024
edited
Loading

This PR contains the following updates:

Package Update Change
external-secrets minor 0.10.2 -> 0.12.1

Release Notes

external-secrets/external-secrets (external-secrets)

v0.12.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.12.1
Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.12.1-ubi-boringssl

What's Changed

Full Changelog: external-secrets/external-secrets@v0.12.0...v0.12.1

v0.11.0

Compare Source

Deprecation of OLM Releases

As of 0.11.0 is the last release available for OLM until further notice. Depending on the way this goes, we might still have OLM support (ideally with a properly built operator for that), but for sure in a different support scheme as to not overload maintainers anymore.
Also a valid note - you can still use 0.11.0 OLM release and the newest ESO images, you just need to set image.tag appropriately in your setup.

Kubernetes API load and significant decrease

A new way of reconciling external secrets has been added with pull request #​4086.

This significantly reduces the number of API calls that we make to the kubernetes API server.

  1. Memory usage might increase if you are not already using --enable-secrets-caching
    1. If you are using --enable-secrets-caching and want to decrease memory usage at the expense of slightly higher API usage, you can disable it and only enable --enable-managed-secrets-caching (which is the new default)
  2. In ALL cases (even when CreationPolicy is Merge), if a data key in the target Secret was created by the ExternalSecret, and it no longer exists in the template (or data/dataFrom), it will be removed from the target secret:
    1. This might cause some peoples secrets to be "cleaned of data keys" when updating to 0.11.
    2. Previously, the behaviour was undefined, and confusing because it was sort of broken when the template feature was added.
    3. The one exception is that ALL the data suddenly becomes empty and the DeletionPolicy is retain, in which case we will not even report and error, just change the SecretSynced message to explain that the secret was retained.
  3. When CreationPolicy is Owner, we now will NEVER retain any keys and fully calculate the "desired state" of the target secret each loop:
    1. This means that some peoples secrets might have keys removed when updating to 0.11.
Generators and ClusterGenerator

We added ClusterGenerators and Generator caching as well. This might create some problems in the way generators are defined now.

CRD Admission Restrictions

All of the CRDs now have proper kubebuilder markers for validation. This might surprise someone leaving out some data that was essentially actually required or expected in a certain format. This is now validated in #​4104.

Images

Image: ghcr.io/external-secrets/external-secrets:v0.11.0
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi-boringssl

What's Changed
New Contributors

Full Changelog: external-secrets/external-secrets@v0.10.7...v0.11.0

v0.10.7

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.10.7
Image: ghcr.io/external-secrets/external-secrets:v0.10.7-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.7-ubi-boringssl

What's Changed
New Contributors

Full Changelog: external-secrets/external-secrets@v0.10.6...v0.10.7

v0.10.6

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.10.6
Image: ghcr.io/external-secrets/external-secrets:v0.10.6-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.6-ubi-boringssl

What's Changed
New Contributors

Full Changelog: external-secrets/external-secrets@v0.10.5...v0.10.6

v0.10.5

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.10.5
Image: ghcr.io/external-secrets/external-secrets:v0.10.5-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.5-ubi-boringssl

What's Changed
New Contributors

Full Changelog: external-secrets/external-secrets@v0.10.4...v0.10.5

v0.10.4

Compare Source

WARNING: With this update, Pulumi has added projectID to it's required properties.

Image: oci.external-secrets.io/external-secrets/external-secrets:v0.10.4
Image: oci.external-secrets.io/external-secrets/external-secrets:v0.10.4-ubi
Image: oci.external-secrets.io/external-secrets/external-secrets:v0.10.4-ubi-boringssl

Default image registry change

From this version onwards, the default image registry name will be oci.external-secrets.io. While GHCR.io will keep on working for the foreseeable future, this change is to allow an eventual migration away from GHCR.

deprecation of GHCR - if performed, will be announced previous to its implementation and switch.

What's Changed

New Contributors

Full Changelog: external-secrets/external-secrets@v0.10.3...v0.10.4

v0.10.3

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.10.3
Image: ghcr.io/external-secrets/external-secrets:v0.10.3-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.3-ubi-boringssl

What's Changed

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@jsaveker
Copy link
Owner

Here is an automated review from ChatGPT of this pull request.

There were no direct security issues that could be identified from the provided git diff. The diff shows an update to the external-secrets chart version from 0.10.2 to 0.10.3 in a HelmRelease YAML configuration for Kubernetes. Updating software and dependencies can indeed be a good practice in terms of security to ensure that any patches for vulnerabilities found in previous versions are applied.

However, without further context regarding the changes and improvements between these two versions of external-secrets, and without knowing the security posture or the fixes that version 0.10.3 introduces, it's hard to make a direct judgement on security implications. Generally, it is recommended to:

  1. Review Release Notes: Before updating, review the release notes or change logs of external-secrets version 0.10.3 to identify any specific security fixes or breaking changes that could affect your current deployment.
  2. Test in a Staging Environment: Ensure that this version update is tested in a non-production environment to verify that it does not introduce any new issues or incompatibilities.
  3. Follow Best Practices for Secrets Management: Irrespective of this update, ensure that best practices are followed for managing secrets in Kubernetes. This includes limiting access to secrets using role-based access control (RBAC), encrypting secrets at rest, and avoiding hard-coded secrets.

Given the lack of detailed context or complexities within this diff, this is the advice that can be offered. Remember, it's critical to keep dependencies up-to-date while also ensuring that such updates do not inadvertently introduce new vulnerabilities or conflicts into your environment.

@renovate renovate bot changed the title fix(helm): update chart external-secrets to 0.10.3 fix(helm): update chart external-secrets to 0.10.4 Sep 25, 2024
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from 97703a8 to c4e59a4 Compare September 25, 2024 13:28
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from c4e59a4 to ad194c5 Compare October 25, 2024 06:14
@renovate renovate bot changed the title fix(helm): update chart external-secrets to 0.10.4 fix(helm): update chart external-secrets to 0.10.5 Oct 25, 2024
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from ad194c5 to 6ca39e5 Compare November 20, 2024 20:56
@renovate renovate bot changed the title fix(helm): update chart external-secrets to 0.10.5 fix(helm): update chart external-secrets to 0.10.6 Nov 20, 2024
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from 6ca39e5 to efe80b5 Compare November 23, 2024 10:14
@renovate renovate bot changed the title fix(helm): update chart external-secrets to 0.10.6 fix(helm): update chart external-secrets to 0.10.7 Nov 23, 2024
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from efe80b5 to b85f45a Compare December 2, 2024 09:51
@renovate renovate bot changed the title fix(helm): update chart external-secrets to 0.10.7 feat(helm): update chart external-secrets to 0.11.0 Dec 2, 2024
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from b85f45a to b5e6080 Compare December 6, 2024 03:08
@renovate renovate bot changed the title feat(helm): update chart external-secrets to 0.11.0 feat(helm): update chart external-secrets to 0.12.1 Dec 23, 2024
@renovate renovate bot force-pushed the renovate/external-secrets-0.x branch from b5e6080 to 384ef4e Compare December 23, 2024 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/kubernetes renovate/helm type/patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jsaveker