feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete#5163
Merged
Skarlso merged 25 commits intoexternal-secrets:mainfrom Sep 3, 2025
Merged
Conversation
7e5cba8 to
2c4c448
Compare
7019928 to
320b378
Compare
…ith DeletionPolicy=Delete Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
…ecrets#5087) Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
* Added release notes configuration Signed-off-by: Dmytro Bondar <git@bonddim.dev> * Rename title for default category Signed-off-by: Dmytro Bondar <git@bonddim.dev> --------- Signed-off-by: Dmytro Bondar <git@bonddim.dev> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
SAP is an active and collaborating company in the ESO ecosystem. I have the admission of the company to admit us as Adopter. Disclaimer: I work at SAP Signed-off-by: Jakob Möller <jakob.moeller@sap.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
…on ps controller Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
10b2dc7 to
9203779
Compare
Contributor
Author
|
@gusfcarvalho and @jakobmoellerdev could you take a look again? I'm happy about my PR now ;) |
…er CSS/SS Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Contributor
jakobmoellerdev
left a comment
There was a problem hiding this comment.
have to do another pass through the shared logic. @Skarlso PTAL here as well
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
…dPushSecrets index to use the entire storeKey Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Contributor
|
I ignored two of the complexity increases to preserve readability, but please refactor |
…tion and add some new comments Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Contributor
Author
Thanks @Skarlso for the feedback! I'll definitely prioritize readability for P.S.: This PR was bigger than I expected 🥲. |
…go file Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
Contributor
Author
|
@Skarlso @gusfcarvalho @jakobmoellerdev could you take a look one more time? :) |
Contributor
jakobmoellerdev
left a comment
There was a problem hiding this comment.
thanks for all this work man! 🥳 still have to go for one more pass because of size, so stick with us :D
Co-authored-by: Jakob Möller <contact@jakob-moeller.com> Signed-off-by: Matheus Mazzoni <54732019+matheusmazzoni@users.noreply.github.com>
Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com>
b1c63d1 to
3f9b069
Compare
Contributor
jakobmoellerdev
left a comment
There was a problem hiding this comment.
from my side LGTM, waiting for second reviews. cool stuff 🥳
Skarlso
approved these changes
Sep 3, 2025
Contributor
|
nice work! 🙇 |
|
nielstenboom
pushed a commit
to nielstenboom/external-secrets
that referenced
this pull request
Sep 3, 2025
…ith DeletionPolicy=Delete (external-secrets#5163) * feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * docs: Fix provider stability and support table (external-secrets#5161) Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * feat(helm): Add control of response to missing prometheus (external-secrets#5087) Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * chore: Added release notes configuration (external-secrets#5148) * Added release notes configuration Signed-off-by: Dmytro Bondar <git@bonddim.dev> * Rename title for default category Signed-off-by: Dmytro Bondar <git@bonddim.dev> --------- Signed-off-by: Dmytro Bondar <git@bonddim.dev> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * refactor: update fmt after make fmt Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * fix: adjust css and ss watches ps Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * test: using manager instead of k8s client for get the ps index correctly Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * chore: bump bitwarden helm chart version (external-secrets#5044) Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * chore(docs): update `ADOPTERS.md` to include SAP (external-secrets#5165) SAP is an active and collaborating company in the ESO ecosystem. I have the admission of the company to admit us as Adopter. Disclaimer: I work at SAP Signed-off-by: Jakob Möller <jakob.moeller@sap.com> Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * feat: use cmd.Context for index the syncedSecrets and deletionPolicy on ps controller Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * chore: using a single finalizer handler for all secret stores Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * docs: remove TODO comment from pushsecret controller test Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * chore: update the handlerFinalizer logic turnig more readable Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * test: create secretstore finalizer management suite Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * refactor: remove findForPushSecret code duplication on SetupWithManager CSS/SS Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * docs: update suite_test comments Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * fix: skip finalizer management when pushsecret feature is disable Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * fix: remove handle finalizers from generic_store and update the syncedPushSecrets index to use the entire storeKey Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * refactor: improves readability of hasPushSecretsWithDeletePolicy function and add some new comments Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * fix: update the code fmt, lint and move some util functions for util.go file Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> * Apply suggestions from code review Co-authored-by: Jakob Möller <contact@jakob-moeller.com> Signed-off-by: Matheus Mazzoni <54732019+matheusmazzoni@users.noreply.github.com> * refactor: update the watcher based if the pushsecrets is enabled Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> --------- Signed-off-by: Matheus Mazzoni <matheusdiasmazzoni@gmail.com> Signed-off-by: Jonathan Stacks <jonstacks@users.noreply.github.com> Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Signed-off-by: Dmytro Bondar <git@bonddim.dev> Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: Jakob Möller <jakob.moeller@sap.com> Signed-off-by: Matheus Mazzoni <54732019+matheusmazzoni@users.noreply.github.com> Co-authored-by: Jonathan Stacks <jonstacks@users.noreply.github.com> Co-authored-by: Pat Riehecky <3534830+jcpunk@users.noreply.github.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Co-authored-by: Dmytro Bondar <git@bonddim.dev> Co-authored-by: Moritz Johner <moolen@users.noreply.github.com> Co-authored-by: Jakob Möller <jakob.moeller@sap.com> Co-authored-by: Jakob Möller <contact@jakob-moeller.com> Signed-off-by: Niels ten Boom <nielstenboom@gmail.com>
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Sep 23, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `0.19.2` -> `0.20.1` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v0.20.1`](https://github.com/external-secrets/external-secrets/releases/tag/v0.20.1) [Compare Source](external-secrets/external-secrets@v0.19.2...v0.20.1) Image: `ghcr.io/external-secrets/external-secrets:v0.20.1` Image: `ghcr.io/external-secrets/external-secrets:v0.20.1-ubi` Image: `ghcr.io/external-secrets/external-secrets:v0.20.1-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: release 0.19.2 by [@​moolen](https://github.com/moolen) in [#​5136](external-secrets/external-secrets#5136) - chore: update readme by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5137](external-secrets/external-secrets#5137) - fix(kubernetes): make auth field optional by [@​mhrabovcin](https://github.com/mhrabovcin) in [#​5064](external-secrets/external-secrets#5064) - chore: Fix Markdown spelling issues found by codespell by [@​mjtrangoni](https://github.com/mjtrangoni) in [#​5139](external-secrets/external-secrets#5139) - Fix yaml codeblock for oracle-vault provider docs by [@​muckelba](https://github.com/muckelba) in [#​5146](external-secrets/external-secrets#5146) - feat: add liveness probe to eso controller by [@​Skarlso](https://github.com/Skarlso) in [#​4930](external-secrets/external-secrets#4930) - fix(helm): add boolean for processClusterGenerator by [@​DrummyFloyd](https://github.com/DrummyFloyd) in [#​5144](external-secrets/external-secrets#5144) - chore: add Cisco to ADOPTERS.md by [@​sriaradhyula](https://github.com/sriaradhyula) in [#​5159](external-secrets/external-secrets#5159) - docs: Fix provider stability and support table by [@​jonstacks](https://github.com/jonstacks) in [#​5161](external-secrets/external-secrets#5161) - feat(helm): Add control of response to missing prometheus CRDs by [@​jcpunk](https://github.com/jcpunk) in [#​5087](external-secrets/external-secrets#5087) - chore: Added release notes configuration by [@​bonddim](https://github.com/bonddim) in [#​5148](external-secrets/external-secrets#5148) - chore: bump bitwarden helm chart version by [@​Skarlso](https://github.com/Skarlso) in [#​5044](external-secrets/external-secrets#5044) - chore(docs): update `ADOPTERS.md` to include SAP by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5165](external-secrets/external-secrets#5165) - feat: add externalsecret namespace for webhook provider by [@​matheusmazzoni](https://github.com/matheusmazzoni) in [#​5155](external-secrets/external-secrets#5155) - fix: add unknown status for secret store by [@​alvin-rw](https://github.com/alvin-rw) in [#​5070](external-secrets/external-secrets#5070) - Fix pushing to an AWS Secrets Manager Secret when there are no secret values by [@​nirajsapkota](https://github.com/nirajsapkota) in [#​4878](external-secrets/external-secrets#4878) - add extralabels for dashboard to be scraped by multiple grafana instances by [@​L1ghtman2k](https://github.com/L1ghtman2k) in [#​5138](external-secrets/external-secrets#5138) - fix: the api docs are not referencing sshkey generator by [@​Skarlso](https://github.com/Skarlso) in [#​5170](external-secrets/external-secrets#5170) - Update github.md by [@​gecube](https://github.com/gecube) in [#​5171](external-secrets/external-secrets#5171) - Update anchore-engine-credentials.md by [@​gecube](https://github.com/gecube) in [#​5172](external-secrets/external-secrets#5172) - docs: update infisical docs to clarify missing system:auth-delegator need by [@​Skarlso](https://github.com/Skarlso) in [#​5174](external-secrets/external-secrets#5174) - Adding support different type auth sources by [@​preved911](https://github.com/preved911) in [#​4877](external-secrets/external-secrets#4877) - fix: stability update document did not update the stability table correctly by [@​Skarlso](https://github.com/Skarlso) in [#​5176](external-secrets/external-secrets#5176) - Add esv1.AnnotationForceSync for CES and ES by [@​ntnn](https://github.com/ntnn) in [#​5156](external-secrets/external-secrets#5156) - fix: helm build failing by [@​Skarlso](https://github.com/Skarlso) in [#​5178](external-secrets/external-secrets#5178) - fix: remove release- branch automation by [@​moolen](https://github.com/moolen) in [#​5182](external-secrets/external-secrets#5182) - chore: update dependencies by [@​eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#​5181](external-secrets/external-secrets#5181) - docs: update bitwarden documentation for dataFrom field usage by [@​Skarlso](https://github.com/Skarlso) in [#​5196](external-secrets/external-secrets#5196) - feat: add contributor ladder by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5150](external-secrets/external-secrets#5150) - feat: support vault provider check and set for push secrets by [@​webstradev](https://github.com/webstradev) in [#​5197](external-secrets/external-secrets#5197) - chore(docs): update helm charts by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5203](external-secrets/external-secrets#5203) - chore(ci): fix sonarqube security warnings in helm.yml by [@​webstradev](https://github.com/webstradev) in [#​5202](external-secrets/external-secrets#5202) - chore: add pull request maintenance auto labelling and sizes by [@​Skarlso](https://github.com/Skarlso) in [#​5200](external-secrets/external-secrets#5200) - fix: update the label verification step by [@​Skarlso](https://github.com/Skarlso) in [#​5209](external-secrets/external-secrets#5209) - feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support by [@​tuxtof](https://github.com/tuxtof) in [#​5168](external-secrets/external-secrets#5168) - feat: improve error message for json marshalling/unmarshalling by [@​webstradev](https://github.com/webstradev) in [#​5211](external-secrets/external-secrets#5211) - chore: enhance `helm-values-schema-json` schema plugin management logic by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5212](external-secrets/external-secrets#5212) - fix(aws): stop incrementing the UUID for versions by [@​Skarlso](https://github.com/Skarlso) in [#​5175](external-secrets/external-secrets#5175) - feat: enable secure serving for metrics \[issue 4614] by [@​rkferreira](https://github.com/rkferreira) in [#​5169](external-secrets/external-secrets#5169) - fix(infisical): fix TokenAuth auth method by escaping the token revocation by [@​arthlr](https://github.com/arthlr) in [#​5217](external-secrets/external-secrets#5217) - fix: tilt build was failing to rebuild by [@​Skarlso](https://github.com/Skarlso) in [#​5225](external-secrets/external-secrets#5225) - feat: add selectable fields to the CRDs by [@​Skarlso](https://github.com/Skarlso) in [#​5226](external-secrets/external-secrets#5226) - ref: removing Yandex Cloud specific common types declaration duplication by [@​preved911](https://github.com/preved911) in [#​4905](external-secrets/external-secrets#4905) - fix: missing codeowners file from .github folder by [@​Skarlso](https://github.com/Skarlso) in [#​5228](external-secrets/external-secrets#5228) - feat: add setting remote namespace to metadata for kubernetes provider by [@​Skarlso](https://github.com/Skarlso) in [#​5224](external-secrets/external-secrets#5224) - feat: add support for certs only in pkcs12 by [@​devnopt](https://github.com/devnopt) in [#​4875](external-secrets/external-secrets#4875) - docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs by [@​ionicsolutions](https://github.com/ionicsolutions) in [#​5208](external-secrets/external-secrets#5208) - feat: Allow adding finalizers from template by [@​malovme](https://github.com/malovme) in [#​5140](external-secrets/external-secrets#5140) - fix: controller-runtime update by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5239](external-secrets/external-secrets#5239) - chore: update dependencies by [@​eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#​5229](external-secrets/external-secrets#5229) - fix: Prevent secretstore reconcile loop when provider error response is dynamic by [@​dakotaharden](https://github.com/dakotaharden) in [#​5247](external-secrets/external-secrets#5247) - feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete by [@​matheusmazzoni](https://github.com/matheusmazzoni) in [#​5163](external-secrets/external-secrets#5163) - fix: keepersecurity support for shortcuts by [@​pepordev](https://github.com/pepordev) in [#​5245](external-secrets/external-secrets#5245) - feat: add support for GCP Workload Identity Federation by [@​bharath-b-rh](https://github.com/bharath-b-rh) in [#​4654](external-secrets/external-secrets#4654) - feat: support fetching secrets and certificates by name in Yandex Lockbox & Certificate Manager by [@​alliseeisgold](https://github.com/alliseeisgold) in [#​5022](external-secrets/external-secrets#5022) - chore(charts): Adds new make target for installing unittest plugin by [@​bharath-b-rh](https://github.com/bharath-b-rh) in [#​5250](external-secrets/external-secrets#5250) - docs(templating): added clarifying comments to Github generator example by [@​nielstenboom](https://github.com/nielstenboom) in [#​5248](external-secrets/external-secrets#5248) - feat(release): add new workflow to label first time contributor issues by [@​mouhsen-ibrahim](https://github.com/mouhsen-ibrahim) in [#​5243](external-secrets/external-secrets#5243) - feat(security): Adds an option to make HTTP2 configurable by [@​siddhibhor-56](https://github.com/siddhibhor-56) in [#​5231](external-secrets/external-secrets#5231) - feat: add retry for onepassword on authorization error by [@​Skarlso](https://github.com/Skarlso) in [#​5253](external-secrets/external-secrets#5253) - fix: handle namespace deletion race conditions with finalizers by [@​framsouza](https://github.com/framsouza) in [#​5154](external-secrets/external-secrets#5154) - docs: update stability and support by [@​anders-swanson](https://github.com/anders-swanson) in [#​5257](external-secrets/external-secrets#5257) - fix(akeyless): Upgrade Akeyless Provider Go SDK to v4 by [@​kgal-akl](https://github.com/kgal-akl) in [#​5263](external-secrets/external-secrets#5263) - feat: support Pod Identity authentication for Vault Provider by [@​webstradev](https://github.com/webstradev) in [#​5201](external-secrets/external-secrets#5201) - feat: add domain field to secretserver provider by [@​rkferreira](https://github.com/rkferreira) in [#​5258](external-secrets/external-secrets#5258) - chore(release): Migrate to actions/create-github-app-token action by [@​mouhsen-ibrahim](https://github.com/mouhsen-ibrahim) in [#​5264](external-secrets/external-secrets#5264) - chore: just updating the crd conformance tests by [@​Skarlso](https://github.com/Skarlso) in [#​5265](external-secrets/external-secrets#5265) - chore(revert): "chore(release): Migrate to actions/create-github-app-token action" by [@​Skarlso](https://github.com/Skarlso) in [#​5269](external-secrets/external-secrets#5269) - chore: azure sdk update by [@​hauswio](https://github.com/hauswio) in [#​5162](external-secrets/external-secrets#5162) - feat: add support for fetching Secret by Path on Delinea Secret Server provider by [@​DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#​5270](external-secrets/external-secrets#5270) - feat: migrate from tibdex to actions/create-github-app-token by [@​rkferreira](https://github.com/rkferreira) in [#​5286](external-secrets/external-secrets#5286) - fix: license headers across all Go files - standardize format, add missing copyright, fix typos by [@​Copilot](https://github.com/Copilot) in [#​5288](external-secrets/external-secrets#5288) - fix: the boilerplate was missing the right license format by [@​Skarlso](https://github.com/Skarlso) in [#​5289](external-secrets/external-secrets#5289) - chore(license): add automated license header checking using Apache SkyWalking Eyes GitHub Action by [@​Copilot](https://github.com/Copilot) in [#​5290](external-secrets/external-secrets#5290) - chore(docs): remove GitHub Discussions references and update support channels by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5292](external-secrets/external-secrets#5292) - docs: updated the ladder with two new tracks: documentation and community by [@​Skarlso](https://github.com/Skarlso) in [#​5298](external-secrets/external-secrets#5298) - docs(release): create upgrading section by [@​rkferreira](https://github.com/rkferreira) in [#​5310](external-secrets/external-secrets#5310) - docs: readme update for health of the project by [@​Skarlso](https://github.com/Skarlso) in [#​5309](external-secrets/external-secrets#5309) - fix: validate namespace in secretRef by [@​moolen](https://github.com/moolen) in [#​5311](external-secrets/external-secrets#5311) - docs: add burnout prevention strategies and mitigation policy document by [@​Skarlso](https://github.com/Skarlso) in [#​5307](external-secrets/external-secrets#5307) - feat: add missing go sbom by [@​moolen](https://github.com/moolen) in [#​5313](external-secrets/external-secrets#5313) - feat: make vault e2e tests run locally by [@​moolen](https://github.com/moolen) in [#​5246](external-secrets/external-secrets#5246) - chore: update dependencies by [@​eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#​5324](external-secrets/external-secrets#5324) - feat: add Cloudsmith generator for container registry authentication by [@​cloudsmith-iduffy](https://github.com/cloudsmith-iduffy) in [#​5267](external-secrets/external-secrets#5267) - feat: Add lgtm review automation step to ci workflows. by [@​webstradev](https://github.com/webstradev) in [#​5251](external-secrets/external-secrets#5251) - feat(provider): add Volcengine provider support by [@​kevinyancn](https://github.com/kevinyancn) in [#​5306](external-secrets/external-secrets#5306) - test: add more information to potentially flaky test by [@​Skarlso](https://github.com/Skarlso) in [#​5330](external-secrets/external-secrets#5330) - fix(docs): Fix typo in controller options doc by [@​tspearconquest](https://github.com/tspearconquest) in [#​5299](external-secrets/external-secrets#5299) - chore(testing): Add licence.check make target by [@​jonstacks](https://github.com/jonstacks) in [#​5335](external-secrets/external-secrets#5335) - docs(gitlab-variables): document environment scope fallback by [@​s1nyx](https://github.com/s1nyx) in [#​5300](external-secrets/external-secrets#5300) ##### Dependencies - chore(deps): bump mkdocs-macros-plugin from 1.3.7 to 1.3.9 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5190](external-secrets/external-secrets#5190) - chore(deps): bump requests from 2.32.4 to 2.32.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5191](external-secrets/external-secrets#5191) - chore(deps): bump golang from 1.24.6-bookworm to 1.25.0-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5189](external-secrets/external-secrets#5189) - chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5188](external-secrets/external-secrets#5188) - chore(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5187](external-secrets/external-secrets#5187) - chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5186](external-secrets/external-secrets#5186) - chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5184](external-secrets/external-secrets#5184) - chore(deps): bump golang from 1.24.6 to 1.25.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5194](external-secrets/external-secrets#5194) - chore(deps): bump github/codeql-action from 3.29.8 to 3.29.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5195](external-secrets/external-secrets#5195) - chore(deps): bump ubi8/ubi from `4f0a4e4` to `7010e70` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5193](external-secrets/external-secrets#5193) - chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5192](external-secrets/external-secrets#5192) - chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5198](external-secrets/external-secrets#5198) - chore(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5199](external-secrets/external-secrets#5199) - chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5234](external-secrets/external-secrets#5234) - chore(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5236](external-secrets/external-secrets#5236) - chore(deps): bump ubi8/ubi from `7010e70` to `534c2c0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5237](external-secrets/external-secrets#5237) - chore(deps): bump actions/attest-build-provenance from 2.4.0 to 3.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5238](external-secrets/external-secrets#5238) - chore(deps): bump regex from 2025.7.34 to 2025.8.29 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5242](external-secrets/external-secrets#5242) - chore(deps): bump platformdirs from 4.3.8 to 4.4.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5241](external-secrets/external-secrets#5241) - chore(deps): bump distroless/static from `2e114d2` to `f2ff10a` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5240](external-secrets/external-secrets#5240) - chore(deps): bump golang from 1.25.0 to 1.25.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5275](external-secrets/external-secrets#5275) - chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5274](external-secrets/external-secrets#5274) - chore(deps): bump actions/stale from 9.1.0 to 10.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5273](external-secrets/external-secrets#5273) - chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5276](external-secrets/external-secrets#5276) - chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5279](external-secrets/external-secrets#5279) - chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5278](external-secrets/external-secrets#5278) - chore(deps): bump github/codeql-action from 3.29.11 to 3.30.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5277](external-secrets/external-secrets#5277) - chore(deps): bump markdown from 3.8.2 to 3.9 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5281](external-secrets/external-secrets#5281) - chore(deps): bump golang from 1.25.0-bookworm to 1.25.1-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5280](external-secrets/external-secrets#5280) - chore(deps): bump regex from 2025.8.29 to 2025.9.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5282](external-secrets/external-secrets#5282) - chore(deps): bump golang from `b6ed3fd` to `b6ed3fd` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5318](external-secrets/external-secrets#5318) - chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5317](external-secrets/external-secrets#5317) - chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5319](external-secrets/external-secrets#5319) - chore(deps): bump distroless/static from `f2ff10a` to `87bce11` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5320](external-secrets/external-secrets#5320) - chore(deps): bump actions/labeler from 5.0.0 to 6.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5323](external-secrets/external-secrets#5323) - chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5321](external-secrets/external-secrets#5321) - chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5322](external-secrets/external-secrets#5322) - chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5339](external-secrets/external-secrets#5339) - chore(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5344](external-secrets/external-secrets#5344) - chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5345](external-secrets/external-secrets#5345) - chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5343](external-secrets/external-secrets#5343) - chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5340](external-secrets/external-secrets#5340) - chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5341](external-secrets/external-secrets#5341) - chore(deps): bump regex from 2025.9.1 to 2025.9.18 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5346](external-secrets/external-secrets#5346) - chore(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5342](external-secrets/external-secrets#5342) #### New Contributors - [@​mjtrangoni](https://github.com/mjtrangoni) made their first contribution in [#​5139](external-secrets/external-secrets#5139) - [@​muckelba](https://github.com/muckelba) made their first contribution in [#​5146](external-secrets/external-secrets#5146) - [@​DrummyFloyd](https://github.com/DrummyFloyd) made their first contribution in [#​5144](external-secrets/external-secrets#5144) - [@​sriaradhyula](https://github.com/sriaradhyula) made their first contribution in [#​5159](external-secrets/external-secrets#5159) - [@​jonstacks](https://github.com/jonstacks) made their first contribution in [#​5161](external-secrets/external-secrets#5161) - [@​matheusmazzoni](https://github.com/matheusmazzoni) made their first contribution in [#​5155](external-secrets/external-secrets#5155) - [@​nirajsapkota](https://github.com/nirajsapkota) made their first contribution in [#​4878](external-secrets/external-secrets#4878) - [@​L1ghtman2k](https://github.com/L1ghtman2k) made their first contribution in [#​5138](external-secrets/external-secrets#5138) - [@​gecube](https://github.com/gecube) made their first contribution in [#​5171](external-secrets/external-secrets#5171) - [@​preved911](https://github.com/preved911) made their first contribution in [#​4877](external-secrets/external-secrets#4877) - [@​ntnn](https://github.com/ntnn) made their first contribution in [#​5156](external-secrets/external-secrets#5156) - [@​webstradev](https://github.com/webstradev) made their first contribution in [#​5197](external-secrets/external-secrets#5197) - [@​rkferreira](https://github.com/rkferreira) made their first contribution in [#​5169](external-secrets/external-secrets#5169) - [@​arthlr](https://github.com/arthlr) made their first contribution in [#​5217](external-secrets/external-secrets#5217) - [@​devnopt](https://github.com/devnopt) made their first contribution in [#​4875](external-secrets/external-secrets#4875) - [@​dakotaharden](https://github.com/dakotaharden) made their first contribution in [#​5247](external-secrets/external-secrets#5247) - [@​bharath-b-rh](https://github.com/bharath-b-rh) made their first contribution in [#​4654](external-secrets/external-secrets#4654) - [@​alliseeisgold](https://github.com/alliseeisgold) made their first contribution in [#​5022](external-secrets/external-secrets#5022) - [@​nielstenboom](https://github.com/nielstenboom) made their first contribution in [#​5248](external-secrets/external-secrets#5248) - [@​siddhibhor-56](https://github.com/siddhibhor-56) made their first contribution in [#​5231](external-secrets/external-secrets#5231) - [@​framsouza](https://github.com/framsouza) made their first contribution in [#​5154](external-secrets/external-secrets#5154) - [@​kgal-akl](https://github.com/kgal-akl) made their first contribution in [#​5263](external-secrets/external-secrets#5263) - [@​hauswio](https://github.com/hauswio) made their first contribution in [#​5162](external-secrets/external-secrets#5162) - [@​Copilot](https://github.com/Copilot) made their first contribution in [#​5288](external-secrets/external-secrets#5288) - [@​cloudsmith-iduffy](https://github.com/cloudsmith-iduffy) made their first contribution in [#​5267](external-secrets/external-secrets#5267) - [@​kevinyancn](https://github.com/kevinyancn) made their first contribution in [#​5306](external-secrets/external-secrets#5306) - [@​s1nyx](https://github.com/s1nyx) made their first contribution in [#​5300](external-secrets/external-secrets#5300) **Full Changelog**: <external-secrets/external-secrets@v0.19.2...v0.20.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjaGFydCJdfQ==--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1555 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
This PR implements the finalizer mechanism for SecretStores and ClusterSecretStores to prevent premature deletion when there are PushSecrets with
DeletionPolicy=Deletethat reference them. This ensures that secrets are properly cleaned up from external providers before the stores are removed.How it works
Finalizer Addition
DeletionPolicy=DeleteFinalizer Removal
DeletionPolicy, the finalizer is automatically removedIndex-Based Lookups
Breaking Changes
None - This is a purely additive feature that enhances existing functionality without changing current behavior.
Future Considerations
Related Issue
Fixes #3411
It was used the #3411 (comment) comment to create this PR. Thanks @thesuperzapper for context :)
Checklist
git commit --signoffmake testmake reviewable