feat(helm): update chart external-secrets ( 0.10.7 → 0.11.0 )

[lab-assistant]

This PR contains the following updates:

Package	Update	Change
external-secrets	minor	0.10.7 -> 0.11.0

---

Release Notes

external-secrets/external-secrets (external-secrets)

v0.11.0

Compare Source

Kubernetes API load and significant decrease

A new way of reconciling external secrets has been added with pull request #​4086.

This significantly reduces the number of API calls that we make to the kubernetes API server.

1. Memory usage might increase if you are not already using --enable-secrets-caching
   1. If you are using --enable-secrets-caching and want to decrease memory usage at the expense of slightly higher API usage, you can disable it and only enable --enable-managed-secrets-caching (which is the new default)
2. In ALL cases (even when CreationPolicy is Merge), if a data key in the target Secret was created by the ExternalSecret, and it no longer exists in the template (or data/dataFrom), it will be removed from the target secret:
   1. This might cause some peoples secrets to be "cleaned of data keys" when updating to 0.11.
   2. Previously, the behaviour was undefined, and confusing because it was sort of broken when the template feature was added.
   3. The one exception is that ALL the data suddenly becomes empty and the DeletionPolicy is retain, in which case we will not even report and error, just change the SecretSynced message to explain that the secret was retained.
3. When CreationPolicy is Owner, we now will NEVER retain any keys and fully calculate the "desired state" of the target secret each loop:
   1. This means that some peoples secrets might have keys removed when updating to 0.11.

Generators and ClusterGenerator

We added ClusterGenerators and Generator caching as well. This might create some problems in the way generators are defined now.

CRD Admission Restrictions

All of the CRDs now have proper kubebuilder markers for validation. This might surprise someone leaving out some data that was essentially actually required or expected in a certain format. This is now validated in #​4104.

Images

Image: ghcr.io/external-secrets/external-secrets:v0.11.0
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi-boringssl

What's Changed

• chore: bump version v0.10.7 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4141
• feat: significantly reduce api calls and introduce partial secret cache by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4086
• chore(deps): bump mkdocs-material from 9.5.44 to 9.5.45 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4143
• chore(deps): bump tornado from 6.4.1 to 6.4.2 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4144
• chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4145
• chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4146
• chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4147
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4148
• fix: gitlab empty response by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4152
• feat: add ability to push expiration date to secret in azure key vault by @​deggja in https://github.com/external-secrets/external-secrets/pull/4149
• feat: implement a cluster-wide generator by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4140
• feat: Add API key auth support on BeyondTrust provider by @​dtejadav in https://github.com/external-secrets/external-secrets/pull/4101
• Add support for multiple Items fields in DelineSecretServer secrets by @​ronaldosaheki in https://github.com/external-secrets/external-secrets/pull/4051
• chore: deprecation policy and deprecating process by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4154
• fix: use cache when retrieving generators by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4153
• fix: e2e test for AWS not setting name and namespace by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4157
• fix: handle managed identity ClientID or ResourceID in acr generator by @​bonddim in https://github.com/external-secrets/external-secrets/pull/4150
• feat: add CRD validation for resource name/key fields by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4104
• fix: issues with generators by @​thesuperzapper in https://github.com/external-secrets/external-secrets/pull/4163

New Contributors

• @​thesuperzapper made their first contribution in https://github.com/external-secrets/external-secrets/pull/4086
• @​deggja made their first contribution in https://github.com/external-secrets/external-secrets/pull/4149
• @​dtejadav made their first contribution in https://github.com/external-secrets/external-secrets/pull/4101
• @​ronaldosaheki made their first contribution in https://github.com/external-secrets/external-secrets/pull/4051
• @​bonddim made their first contribution in https://github.com/external-secrets/external-secrets/pull/4150

Full Changelog: external-secrets/external-secrets@v0.10.7...v0.11.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[lab-assistant]

--- kubernetes/main/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

+++ kubernetes/main/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

@@ -14,13 +14,13 @@

       chart: external-secrets
       interval: 30m
       sourceRef:
         kind: HelmRepository
         name: external-secrets
         namespace: flux-system
-      version: 0.10.7
+      version: 0.11.0
   interval: 30m
   values:
     certController:
       image:
         repository: ghcr.io/external-secrets/external-secrets
       serviceMonitor:

[lab-assistant]

--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-controller

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-controller

@@ -43,17 +43,20 @@

   - update
   - patch
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - passwords
+  - stssessiontokens
+  - uuids
   - vaultdynamicsecrets
   - webhooks
   verbs:
   - get
   - list
   - watch
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-view

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-view

@@ -23,12 +23,13 @@

   - watch
   - list
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - passwords
   - vaultdynamicsecrets
--- HelmRelease: security/external-secrets ClusterRole: security/external-secrets-edit

+++ HelmRelease: security/external-secrets ClusterRole: security/external-secrets-edit

@@ -24,12 +24,13 @@

   - patch
   - update
 - apiGroups:
   - generators.external-secrets.io
   resources:
   - acraccesstokens
+  - clustergenerators
   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - passwords
   - vaultdynamicsecrets
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.10.7
+        image: ghcr.io/external-secrets/external-secrets:v0.11.0
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=security
--- HelmRelease: security/external-secrets Deployment: security/external-secrets

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.10.7
+        image: ghcr.io/external-secrets/external-secrets:v0.11.0
         imagePullPolicy: IfNotPresent
         args:
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
         - --zap-time-encoding=epoch
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.10.7
+        image: ghcr.io/external-secrets/external-secrets:v0.11.0
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.security.svc
         - --cert-dir=/tmp/certs