feat(helm)!: Update chart external-secrets to 2.0.1

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
external-secrets	major	0.20.4 → 2.0.1

---

Release Notes

external-secrets/external-secrets (external-secrets)

v2.0.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.0.1
Image: ghcr.io/external-secrets/external-secrets:v2.0.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.0.1-ubi-boringssl

What's Changed

General

• chore: release helm chart for v2.0.0 by @​Skarlso in #​5932
• docs: update the stability doc with the new version by @​Skarlso in #​5933
• chore(doc): add loblaw to adopter md by @​FZhg in #​5937
• chore: bump golang to 1.25.7 because of cve by @​Skarlso in #​5938
• fix: deleting the whole secret when it is empty by @​Skarlso in #​5927
• chore: update controller runtime by @​Skarlso in #​5930
• fix: update cosign and syft for signing by @​Skarlso in #​5958
• fix: the informer can not register use GetInformer instead by @​Skarlso in #​5931
• fix: attempt to fix cosign compatibility issues by @​gusfcarvalho in #​5959
• chore: remove outdated info from stability doc by @​Skarlso in #​5971
• chore(deps): update Masterminds/sprig to 8cb06fe… by @​tete17 in #​5747
• docs(release): Update support matrix by @​evrardjp in #​5978

Dependencies

• chore(deps): bump golang from 20c8a94 to f6751d8 by @​dependabot[bot] in #​5940
• chore(deps): bump ubi9/ubi from c8df11b to b8923f5 by @​dependabot[bot] in #​5939
• chore(deps): bump distroless/static from cd64bec to 972618c by @​dependabot[bot] in #​5941
• chore(deps): bump github/codeql-action from 4.32.0 to 4.32.2 by @​dependabot[bot] in #​5942
• chore(deps): bump anchore/sbom-action from 0.22.1 to 0.22.2 by @​dependabot[bot] in #​5943
• chore(deps): bump step-security/harden-runner from 2.14.1 to 2.14.2 by @​dependabot[bot] in #​5944
• chore(deps): bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 by @​dependabot[bot] in #​5945
• chore(deps): bump fossas/fossa-action from 1.7.0 to 1.8.0 by @​dependabot[bot] in #​5946
• chore(deps): bump aws-actions/configure-aws-credentials from 5.1.1 to 6.0.0 by @​dependabot[bot] in #​5947
• chore(deps): bump github/codeql-action from 4.32.2 to 4.32.3 by @​dependabot[bot] in #​5965
• chore(deps): bump markdown from 3.10.1 to 3.10.2 in /hack/api-docs by @​dependabot[bot] in #​5968
• chore(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.0 by @​dependabot[bot] in #​5964
• chore(deps): bump platformdirs from 4.5.1 to 4.9.2 in /hack/api-docs by @​dependabot[bot] in #​5967
• chore(deps): bump pymdown-extensions from 10.20.1 to 10.21 in /hack/api-docs by @​dependabot[bot] in #​5969

New Contributors

• @​FZhg made their first contribution in #​5937

Full Changelog: external-secrets/external-secrets@v2.0.0...v2.0.1

v2.0.0

Compare Source

BREAKING CHANGE

Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42.

Image: ghcr.io/external-secrets/external-secrets:v2.0.0
Image: ghcr.io/external-secrets/external-secrets:v2.0.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringssl

What's Changed

General

• chore: bump charts to 1.3.2 by @​gusfcarvalho in #​5923
• feat(charts): add hostAliases support by @​janlauber in #​5866
• chore: remove unmaintained secret stores by @​Skarlso in #​5918
• docs(infisical): document al provider auth methods by @​varonix0 in #​5929
• chore: Get validating webhook failurePolicy for Secretstore dynamically by @​LochanRn in #​5605

New Contributors

• @​LochanRn made their first contribution in #​5605

Full Changelog: external-secrets/external-secrets@v1.3.2...v2.0.0

v1.3.2

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.3.2
Image: ghcr.io/external-secrets/external-secrets:v1.3.2-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringssl

What's Changed

General

• chore: release helm chart for v1.3.1 by @​Skarlso in #​5860
• chore(chart): Add missing tests for readinessProbe by @​jcpunk in #​5769
• docs: Update FluxCD example by @​umizoom in #​5862
• fix(ci): Removed the unused check for Windows in Makefile by @​HauptJ in #​5870
• docs(release): Add actual dates for EOL of 1.x releases in stability and support page by @​n4zukker in #​5889
• docs: Passbolt provider maintenance ownership by @​stripthis in #​5886
• chore: Update Passbolt MaintenanceStatus to MaintenanceStatusMaintained by @​stripthis in #​5887
• fix(security): sanitize json.Unmarshal errors to prevent secret data … by @​moolen in #​5884
• fix: webhook initialization order by @​gusfcarvalho in #​5901
• chore: Cleanup flags by @​evrardj-roche in #​5845
• fix: onepasswordsdk shared tenant by altering the provider in the client cache by @​Skarlso in #​5921

Dependencies

• chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by @​dependabot[bot] in #​5873
• chore(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/api-docs by @​dependabot[bot] in #​5877
• chore(deps): bump markdown from 3.10 to 3.10.1 in /hack/api-docs by @​dependabot[bot] in #​5880
• chore(deps): bump ubi9/ubi from 22e9573 to 1f84f5c by @​dependabot[bot] in #​5871
• chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by @​dependabot[bot] in #​5872
• chore(deps): bump hashicorp/setup-terraform from 93d5a27 to dcc3150 by @​dependabot[bot] in #​5875
• chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​5876
• chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @​dependabot[bot] in #​5878
• chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by @​dependabot[bot] in #​5874
• chore(deps): bump packaging from 25.0 to 26.0 in /hack/api-docs by @​dependabot[bot] in #​5879
• chore(deps): bump golang from d9b2e14 to 98e6cff by @​dependabot[bot] in #​5907
• chore(deps): bump alpine from 865b95f to 2510918 in /hack/api-docs by @​dependabot[bot] in #​5914
• chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in #​5909
• chore(deps): bump actions/cache from 5.0.2 to 5.0.3 by @​dependabot[bot] in #​5912
• chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by @​dependabot[bot] in #​5910
• chore(deps): bump hashicorp/setup-terraform from dcc3150 to ce70bcf by @​dependabot[bot] in #​5911
• chore(deps): bump ubi9/ubi from 1f84f5c to c8df11b by @​dependabot[bot] in #​5908
• chore(deps): bump alpine from 3.23.2 to 3.23.3 in /e2e by @​dependabot[bot] in #​5915
• chore(deps): bump alpine from 865b95f to 2510918 by @​dependabot[bot] in #​5906
• chore(deps): bump pathspec from 1.0.3 to 1.0.4 in /hack/api-docs by @​dependabot[bot] in #​5916
• chore(deps): bump babel from 2.17.0 to 2.18.0 in /hack/api-docs by @​dependabot[bot] in #​5917
• chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by @​dependabot[bot] in #​5913

New Contributors

• @​umizoom made their first contribution in #​5862
• @​HauptJ made their first contribution in #​5870
• @​n4zukker made their first contribution in #​5889
• @​stripthis made their first contribution in #​5886

Full Changelog: external-secrets/external-secrets@v1.3.1...v1.3.2

v1.3.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.3.1
Image: ghcr.io/external-secrets/external-secrets:v1.3.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringssl

For a Full release please referre to https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0. This is a fix build for the docker publish flow.

What's Changed

General

• fix: ignore the in-toto manifest when promoting the docker build by @​Skarlso in #​5859

Full Changelog: external-secrets/external-secrets@v1.3.0...v1.3.1

v1.2.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.2.1
Image: ghcr.io/external-secrets/external-secrets:v1.2.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.2.1-ubi-boringssl

What's Changed

General

• chore(chart): release helm chart 1.2.0 by @​jakobmoellerdev in #​5751
• fix: metrics not being correctly updated and deleted by @​Skarlso in #​5714
• feat(infisical): add caBundle and caProvider support by @​wi-adam in #​5770
• docs(apis): fix inaccurate SecretStore comments (v1 + v1beta1) by @​fallmo in #​5773
• fix: add missing link to the docs by @​Skarlso in #​5783
• fix: for target template parsing for complex matchers by @​Skarlso in #​5735
• fix: a lot of sonar issue fixes by @​Skarlso in #​5771

Dependencies

• chore(deps): bump golang from 2611181 to ac09a5f by @​dependabot[bot] in #​5758
• chore(deps): bump alpine from 3.23.0 to 3.23.2 in /e2e by @​dependabot[bot] in #​5764
• chore(deps): bump importlib-metadata from 8.7.0 to 8.7.1 in /hack/api-docs by @​dependabot[bot] in #​5768
• chore(deps): bump tornado from 6.5.3 to 6.5.4 in /hack/api-docs by @​dependabot[bot] in #​5767
• chore(deps): bump mkdocs-material from 9.7.0 to 9.7.1 in /hack/api-docs by @​dependabot[bot] in #​5766
• chore(deps): bump alpine from 51183f2 to 865b95f in /hack/api-docs by @​dependabot[bot] in #​5765
• chore(deps): bump alpine from 51183f2 to 865b95f by @​dependabot[bot] in #​5756
• chore(deps): bump ubi9/ubi from d4feb57 to 3816d30 by @​dependabot[bot] in #​5757
• chore(deps): bump peter-evans/slash-command-dispatch from 5.0.1 to 5.0.2 by @​dependabot[bot] in #​5763
• chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 by @​dependabot[bot] in #​5762
• chore(deps): bump actions/attest-build-provenance from 3.0.0 to 3.1.0 by @​dependabot[bot] in #​5761
• chore(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 by @​dependabot[bot] in #​5760
• chore(deps): bump hashicorp/setup-terraform from 071811a to 92e4d08 by @​dependabot[bot] in #​5759
• chore(deps): bump anchore/sbom-action from 0.20.11 to 0.21.0 by @​dependabot[bot] in #​5784

New Contributors

• @​wi-adam made their first contribution in #​5770
• @​fallmo made their first contribution in #​5773

Full Changelog: external-secrets/external-secrets@v1.2.0...v1.2.1

v1.2.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.2.0
Image: ghcr.io/external-secrets/external-secrets:v1.2.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.2.0-ubi-boringssl

What's Changed

General

• chore: bump 1.1.1 by @​gusfcarvalho in #​5687
• chore: fix the argocd e2e test case by @​Skarlso in #​5688
• feat(provider): add Barbican provider support by @​rkferreira in #​5398
• docs(secretserver): promote secretserver provider to beta by @​DelineaSahilWankhede in #​5668
• feat(controller): add flag to enable/disable secretstore reconcile by @​Ilhan-Personal in #​5653
• fix(aws-secrets-manager): Apply filtering based on both name and tags if provided by @​iypetrov in #​5685
• fix(gcpsm): SecretExists should check for regional secrets when store location is specified by @​tokiwong in #​5708
• feat: introduce store deprecation by @​gusfcarvalho in #​5711
• feat(charts): add global values for common deployment configurations by @​Gabryel8818 in #​5652
• feat: add Doppler OIDC-based authentication by @​mikesellitto in #​5475
• fix: make custom configuration available regardless of environment by @​Skarlso in #​5713
• chore(chart): update bitwarden dependency to v0.5.2 by @​Skarlso in #​5719
• docs(templating): update rbac for generic targets by @​lostick in #​5736
• fix(testing): Breaking changes should not break ci by @​evrardjp in #​5739
• fix(security): Get rid of getSecretKey by @​evrardjp in #​5738
• fix(aws): parse resource policies into canonical JSON (sorted) before comparing by @​cmoscofian in #​5622
• docs: Fix example in GCP documentation by @​headcr4sh in #​5745
• chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by @​DelineaSahilWankhede in #​5742
• fix(gcpsm): Improve SecretExists method in GCP secret manager provider by @​tosih in #​5610
• chore(docs): add clarification to helm values being disabled by @​Skarlso in #​5746
• fix(release): apply 64dc681 to release by @​jakobmoellerdev in #​5749
• docs(release): 1.2 stability-support.md by @​jakobmoellerdev in #​5750

Dependencies

• chore(deps): bump golang from 1.25.4 to 1.25.5 by @​dependabot[bot] in #​5693
• chore(deps): bump golang from 1.25.4-bookworm to 1.25.5-bookworm in /e2e by @​dependabot[bot] in #​5702
• chore(deps): bump ubi9/ubi from dcd8128 to 75937d9 by @​dependabot[bot] in #​5655
• chore(deps): bump peter-evans/slash-command-dispatch from 5.0.0 to 5.0.1 by @​dependabot[bot] in #​5695
• chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by @​dependabot[bot] in #​5696
• chore(deps): bump actions/stale from 10.1.0 to 10.1.1 by @​dependabot[bot] in #​5697
• chore(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 by @​dependabot[bot] in #​5700
• chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by @​dependabot[bot] in #​5698
• chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in #​5699
• chore(deps): bump platformdirs from 4.5.0 to 4.5.1 in /hack/api-docs by @​dependabot[bot] in #​5705
• chore(deps): bump distroless/static from 87bce11 to 4b2a093 by @​dependabot[bot] in #​5692
• chore(deps): bump alpine from 3.22 to 3.23 in /hack/api-docs by @​dependabot[bot] in #​5703
• chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs by @​dependabot[bot] in #​5704
• chore(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/api-docs by @​dependabot[bot] in #​5706
• chore(deps): bump alpine from 3.22.2 to 3.23.0 in /e2e by @​dependabot[bot] in #​5701
• chore(deps): bump golang from 2611181 to 2611181 by @​dependabot[bot] in #​5721
• chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by @​dependabot[bot] in #​5725
• chore(deps): bump urllib3 from 2.6.0 to 2.6.2 in /hack/api-docs by @​dependabot[bot] in #​5730
• chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by @​dependabot[bot] in #​5726
• chore(deps): bump anchore/sbom-action from 0.20.10 to 0.20.11 by @​dependabot[bot] in #​5724
• chore(deps): bump tornado from 6.5.2 to 6.5.3 in /hack/api-docs by @​dependabot[bot] in #​5732
• chore(deps): bump ubi9/ubi from 75937d9 to d4feb57 by @​dependabot[bot] in #​5722
• chore(deps): bump golang from 5117d68 to 09f53de in /e2e by @​dependabot[bot] in #​5729
• chore(deps): bump alpine from 4b7ce07 to 51183f2 by @​dependabot[bot] in #​5694
• chore(deps): bump hashicorp/setup-terraform from 712b439 to 071811a by @​dependabot[bot] in #​5727
• chore(deps): bump pymdown-extensions from 10.18 to 10.19.1 in /hack/api-docs by @​dependabot[bot] in #​5731
• chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by @​dependabot[bot] in #​5728
• chore(deps): bump actions/cache from 4.3.0 to 5.0.1 by @​dependabot[bot] in #​5723

New Contributors

• @​iypetrov made their first contribution in #​5685
• @​tokiwong made their first contribution in #​5708
• @​Gabryel8818 made their first contribution in #​5652
• @​mikesellitto made their first contribution in #​5475
• @​lostick made their first contribution in #​5736
• @​cmoscofian made their first contribution in #​5622
• @​headcr4sh made their first contribution in #​5745
• @​tosih made their first contribution in #​5610

Full Changelog: external-secrets/external-secrets@v1.1.1...v1.2.0

v1.1.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.1.1
Image: ghcr.io/external-secrets/external-secrets:v1.1.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.1.1-ubi-boringssl

What's Changed

General

• chore(chart): release helm chart 1.1.0 by @​Skarlso in #​5619
• docs: improve spec.md by exporting generator types by @​gusfcarvalho in #​5624
• chore(deps): remove sprig fork by @​Skarlso in #​5626
• fix: report 404 secrets correctly in Gitlab provider by @​alekc in #​5104
• docs(secretserver): update documentation to include Platform compatibility by @​DelineaSahilWankhede in #​5546
• docs: add llm policy by @​Skarlso in #​5649
• fix: pass in the token to the build and publish container by @​Skarlso in #​5651
• test(secretserver): improve test coverage for SecretServer provider by @​DelineaSahilWankhede in #​5641
• fix: docs pipeline by @​rkferreira in #​5663
• fix: modify the url of the remote to include the token by @​Skarlso in #​5664
• feat(helm): add dynamic labelSelector if not define in topologySpread… by @​fe80 in #​5065
• feat: Support retry settings for Doppler provider by @​maduonline in #​5608
• feat(beyondtrust): enable pushing secrets in BeyondTrust provider by @​btfhernandez in #​5586
• fix: correctly merge map fields during templating by @​Skarlso in #​5671
• fix: use patch instead of update for finalizers addition and removal by @​Skarlso in #​5670
• feat(oracle): implement SecretExists by @​anders-swanson in #​5672
• fix(security): create provider for webhook & fake by @​ShimonDarshan in #​5628
• fix: set client transport to use GitHub Enterprise URL by @​fred-gagnon in #​5662
• feat(generator): Password generator can generate and expose multiple passwords by @​Trojanekkk in #​5669
• fix: run check diff on main by @​Skarlso in #​5681
• feat: bitwardenServerSDKURL is required for bitwardensecretsmanager by @​budimanjojo in #​5679
• fix: update the refreshInterval formatting everywhere by @​Skarlso in #​5680
• clean: Update conjur-api-go; Disable credential storage by @​szh in #​5648
• fix: add live-reload to make docs.serve by @​gusfcarvalho in #​5676
• fix: remove cached artifacts after build by @​gusfcarvalho in #​5686
• fix(keepersecurity): properly handle fields key by @​pepordev in #​5674

Dependencies

• chore(deps): bump golang from d3f0cf7 to d3f0cf7 by @​dependabot[bot] in #​5630
• chore(deps): bump golang from 7419f54 to e174196 in /e2e by @​dependabot[bot] in #​5638
• chore(deps): bump zizmorcore/zizmor-action from 0.2.0 to 0.3.0 by @​dependabot[bot] in #​5637
• chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​5636
• chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 by @​dependabot[bot] in #​5635
• chore(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.0 by @​dependabot[bot] in #​5634
• chore(deps): bump github/codeql-action from 4.31.3 to 4.31.4 by @​dependabot[bot] in #​5633
• chore(deps): bump aws-actions/configure-aws-credentials from f2964c7 to 4a54c24 by @​dependabot[bot] in #​5632
• chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @​dependabot[bot] in #​5631
• chore(deps): bump pymdown-extensions from 10.17.1 to 10.17.2 in /hack/api-docs by @​dependabot[bot] in #​5660
• chore(deps): bump softprops/action-gh-release from 2.4.2 to 2.5.0 by @​dependabot[bot] in #​5656
• chore(deps): bump actions/setup-python from 6.0.0 to 6.1.0 by @​dependabot[bot] in #​5657
• chore(deps): bump peter-evans/slash-command-dispatch from 4.0.0 to 5.0.0 by @​dependabot[bot] in #​5658
• chore(deps): bump hashicorp/setup-terraform from 4c5fdab to 712b439 by @​dependabot[bot] in #​5659

New Contributors

• @​fe80 made their first contribution in #​5065
• @​maduonline made their first contribution in #​5608
• @​fred-gagnon made their first contribution in #​5662
• @​Trojanekkk made their first contribution in #​5669
• @​budimanjojo made their first contribution in #​5679

Full Changelog: external-secrets/external-secrets@v1.1.0...v1.1.1

v1.1.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v1.1.0
Image: ghcr.io/external-secrets/external-secrets:v1.1.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v1.1.0-ubi-boringssl

What's Changed

!NOTE!: During last community meeting we discussed that we are retiring our scarf account. With that, we will be changing back to ghcr.io/external-secrets/external-secrets instead of oci.external-secrets.io/external-secrets/external-secrets.

For now, the old domain will live for a couple months to give people to change back. With this release , the values in the helm chart that define where the image is switched back to ghcr.

The helm-chart itself is served from under github-pages so that does not move.

General

• chore(chart): release helm chart 1.0.0 by @​Skarlso in #​5552
• feat(security): add support for ECDSA ssh keys by @​bigjazzsound in #​5559
• fix: minor typo in comment of KeeperSecurity example by @​mdjong1 in #​5573
• docs(gcp): update documentation for using WorkloadIdentityFederation in non-GKE cluster by @​jennweir in #​5556
• chore(release): add darwin_arm64 releases by @​lbordowitz in #​5583
• feat: support override IAM endpoint in IBM provider for APIkey auth by @​fidel-ruiz in #​5550
• feat(security): build tags for all the providers to disable them on d… by @​ShimonDarshan in #​5578
• fix: do not include the last element of the path in the iteration by @​Skarlso in #​5588
• fix(k8s): support deleting whole secret by @​tiagolobocastro in #​5538
• fix(provider): configure TLS for secret server provider by @​Lumexralph in #​5558
• chore(aws): remove any usage of aws-sdk-v1 by @​Skarlso in #​5590
• fix(gcp): check for secret version exists in PushSecret by @​bpalko in #​5593
• feat(vault): add GCP Workload Identity authentication support by @​SamuelMolling in #​5356
• chore: fix sonar cloud issues by @​Skarlso in #​5405
• chore(aws-sdk-v2): update dependencies to accept new aws regions by @​damienpuig in #​5577
• feat(chart): use ghcr.io instead of our own domain by @​evrardjp in #​5617

Dependencies

• chore(deps): bump golang from 1.25.3 to 1.25.4 by @​dependabot[bot] in #​5560
• chore(deps): bump golang from 1.25.3-bookworm to 1.25.4-bookworm in /e2e by @​dependabot[bot] in #​5568
• chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by @​dependabot[bot] in #​5561
• chore(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 by @​dependabot[bot] in #​5564
• chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0 by @​dependabot[bot] in #​5565
• chore(deps): bump aws-actions/configure-aws-credentials from 0d00a56 to 2475ef7 by @​dependabot[bot] in #​5562
• chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by @​dependabot[bot] in #​5563
• chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by @​dependabot[bot] in #​5567
• chore(deps): bump regex from 2025.10.23 to 2025.11.3 in /hack/api-docs by @​dependabot[bot] in #​5570
• chore(deps): bump markdown from 3.9 to 3.10 in /hack/api-docs by @​dependabot[bot] in #​5569
• chore(deps): bump hashicorp/setup-terraform from 982f6f0 to 4c5fdab by @​dependabot[bot] in #​5566
• chore(deps): bump golang from d3f0cf7 to d3f0cf7 by @​dependabot[bot] in #​5595
• chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by @​dependabot[bot] in #​5596
• chore(deps): bump click from 8.3.0 to 8.3.1 in /hack/api-docs by @​dependabot[bot] in #​5602
• chore(deps): bump ubi9/ubi from dec374e to dcd8128 by @​dependabot[bot] in #​5594
• chore(deps

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

+++ kubernetes/apps/security/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: security/external-secrets

@@ -14,13 +14,13 @@

       chart: external-secrets
       interval: 30m
       sourceRef:
         kind: HelmRepository
         name: external-secrets-charts
         namespace: flux-system
-      version: 0.20.4
+      version: 2.0.1
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[github-actions]

--- HelmRelease: security/external-secrets Deployment: security/bitwarden-sdk-server

+++ HelmRelease: security/external-secrets Deployment: security/bitwarden-sdk-server

@@ -22,13 +22,13 @@

     spec:
       serviceAccountName: bitwarden-sdk-server
       securityContext: {}
       containers:
       - name: bitwarden-sdk-server
         securityContext: {}
-        image: ghcr.io/external-secrets/bitwarden-sdk-server:v0.5.1
+        image: ghcr.io/external-secrets/bitwarden-sdk-server:v0.5.2
         imagePullPolicy: IfNotPresent
         volumeMounts:
         - mountPath: /certs
           name: bitwarden-tls-certs
         ports:
         - name: http
@@ -45,15 +45,15 @@

             port: http
             scheme: HTTPS
         resources: {}
       volumes:
       - name: bitwarden-tls-certs
         secret:
+          secretName: bitwarden-tls-certs
           items:
           - key: tls.crt
             path: cert.pem
           - key: tls.key
             path: key.pem
           - key: ca.crt
             path: ca.pem
-          secretName: bitwarden-tls-certs
 
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: oci.external-secrets.io/external-secrets/external-secrets:v0.20.4
+        image: ghcr.io/external-secrets/external-secrets:v2.0.1
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=security
@@ -52,13 +52,16 @@

         - --zap-time-encoding=epoch
         - --enable-partial-cache=true
         ports:
         - containerPort: 8080
           protocol: TCP
           name: metrics
+        - containerPort: 8081
+          protocol: TCP
+          name: ready
         readinessProbe:
           httpGet:
-            port: 8081
+            port: ready
             path: /readyz
           initialDelaySeconds: 20
           periodSeconds: 5
 
--- HelmRelease: security/external-secrets Deployment: security/external-secrets

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: oci.external-secrets.io/external-secrets/external-secrets:v0.20.4
+        image: ghcr.io/external-secrets/external-secrets:v2.0.1
         imagePullPolicy: IfNotPresent
         args:
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
         - --zap-time-encoding=epoch
--- HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

+++ HelmRelease: security/external-secrets Deployment: security/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: oci.external-secrets.io/external-secrets/external-secrets:v0.20.4
+        image: ghcr.io/external-secrets/external-secrets:v2.0.1
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.security.svc
         - --cert-dir=/tmp/certs
@@ -53,15 +53,18 @@

         - containerPort: 8080
           protocol: TCP
           name: metrics
         - containerPort: 10250
           protocol: TCP
           name: webhook
+        - containerPort: 8081
+          protocol: TCP
+          name: ready
         readinessProbe:
           httpGet:
-            port: 8081
+            port: ready
             path: /readyz
           initialDelaySeconds: 20
           periodSeconds: 5
         volumeMounts:
         - name: certs
           mountPath: /tmp/certs
--- HelmRelease: security/external-secrets ValidatingWebhookConfiguration: security/secretstore-validate

+++ HelmRelease: security/external-secrets ValidatingWebhookConfiguration: security/secretstore-validate

@@ -29,12 +29,13 @@

       path: /validate-external-secrets-io-v1-secretstore
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: Fail
 - name: validate.clustersecretstore.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
     - v1