Skip to content

fix(helm): update chart external-secrets to 0.19.2 #620

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 24, 2025
Merged

fix(helm): update chart external-secrets to 0.19.2 #620

merged 1 commit into from
Aug 24, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 16, 2025

This PR contains the following updates:

Package Update Change
external-secrets patch 0.19.1 -> 0.19.2

Release Notes

external-secrets/external-secrets (external-secrets)

v0.19.2

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.19.2
Image: ghcr.io/external-secrets/external-secrets:v0.19.2-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.19.2-ubi-boringssl

What's Changed

New Contributors

Full Changelog: external-secrets/external-secrets@v0.19.1...v0.19.2

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@claude
Copy link

claude bot commented Aug 16, 2025
edited
Loading

Claude finished @renovate[bot]'s task —— View job

Code Review Complete

Review Checklist:

  • Read modified HelmRelease file
  • Analyze release notes for breaking changes
  • Check security implications
  • Verify repository conventions compliance
  • Assess performance considerations
  • Provide comprehensive feedback

Review Summary

This PR updates the external-secrets Helm chart from version 0.19.1 to 0.19.2. After thorough analysis, this is a safe and recommended update.

Code Quality & Best Practices ✅

The change follows excellent practices:

  • Clean, minimal change: Only the version number is updated (kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml:12)
  • Proper Helm chart management: Uses Flux HelmRelease with appropriate configuration
  • Repository conventions: Follows the established pattern from CLAUDE.md for Helm chart updates
  • Automated dependency management: Renovate handling ensures consistent updates

Security Analysis ✅

Positive security aspects:

  • Patch release: 0.19.1 → 0.19.2 is a patch version, indicating bug fixes rather than breaking changes
  • Security-focused fixes: Release notes show several important security improvements:
    • Fix for secretstore selection scoping in push secrets (#5109)
    • Fix for secret list call scoping to proper namespace (#5133)
  • Dependency updates: Includes Go runtime bump (1.24.5 → 1.24.6) addressing potential security vulnerabilities
  • No exposed secrets: The HelmRelease correctly depends on onepassword-connect for secret management

Performance Considerations ✅

Performance improvements:

  • Namespace scoping fixes: The security fixes also improve performance by properly scoping database queries to relevant namespaces
  • Helm chart optimization: Release includes helm-values-schema-json plugin update (2.2.1) for better validation performance
  • No performance regressions: Patch version indicates no breaking changes or performance impacts

Potential Issues & Recommendations 🔍

Minor considerations:

  1. Testing: While this is a patch update, consider running integration tests to verify ExternalSecret resources continue functioning correctly
  2. Monitoring: Watch for any errors in external-secrets controller logs after deployment
  3. Rollback readiness: The HelmRelease correctly configures rollback strategy, but ensure monitoring is in place

Repository-specific observations:

  • ✅ Properly configured with 1Password integration
  • ✅ ServiceMonitor enabled for observability
  • ✅ Correct dependency on onepassword-connect
  • ✅ Follows repository's storage and secret management patterns

Test Coverage Assessment 📋

The current HelmRelease configuration includes good operational practices:

  • Retry mechanisms: 3 retries for install/upgrade failures
  • Rollback strategy: Automatic rollback on failed upgrades
  • Health checks: ServiceMonitor configuration for Prometheus integration
  • Dependency management: Proper dependsOn configuration

Recommendation: Consider adding a basic smoke test in the repository's CI/CD pipeline to validate ExternalSecret CRD functionality after chart upgrades.

Conclusion ✅

This PR is approved for merge. The external-secrets 0.19.2 update includes important security fixes and performance improvements with no breaking changes. The change follows repository conventions and maintains the existing secure configuration.

Key benefits of this update:

  • Enhanced security through better namespace scoping
  • Performance improvements in secret management
  • Updated dependencies including Go runtime
  • Bug fixes for push secret functionality

@github-actions
Copy link

github-actions bot commented Aug 16, 2025 

--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: external-secrets/external-secrets

+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: external-secrets/external-secrets

@@ -13,13 +13,13 @@

     spec:
       chart: external-secrets
       sourceRef:
         kind: HelmRepository
         name: external-secrets
         namespace: flux-system
-      version: 0.19.1
+      version: 0.19.2
   dependsOn:
   - name: onepassword-connect
     namespace: external-secrets
   install:
     remediation:
       retries: 3

@github-actions
Copy link

github-actions bot commented Aug 16, 2025 

--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-cert-controller

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.1
+        image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.2
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=external-secrets
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.1
+        image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.2
         imagePullPolicy: IfNotPresent
         args:
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
         - --zap-time-encoding=epoch
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-webhook

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.1
+        image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.2
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.external-secrets.svc
         - --cert-dir=/tmp/certs

@albatrossflavour albatrossflavour merged commit 9ab4664 into main Aug 24, 2025
5 checks passed
@albatrossflavour albatrossflavour deleted the renovate/external-secrets-0.x branch August 24, 2025 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/kubernetes renovate/helm type/patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@albatrossflavour