feat: support Pod Identity authentication for Vault Provider#5201

Merged

Skarlso merged 13 commits intoexternal-secrets:mainfrom

webstradev:pod-identity-vault-auth

Sep 6, 2025

Contributor

webstradev commented Aug 26, 2025 •

edited

Loading

Problem Statement

Support using the Pod Identity if IRSA is not enabled.

Related Issue

Fixes #4888

Proposed Changes

I cleaned up the relevant function a little bit and introduces some helper functions just to make the higher-level logic a bit clearer. (first commit is only the refactor, second commit is the actual feature change)

Previously if the IRSA was not set up it would error out. Now we first check if the required env variables for EKS Pod Identity are set, if they are we return nil creds (allowing the aws sdk authenticate with those environment variables). If those aren't set either, then we still error out.

Some documentation that shows aws-sdk handles this
https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage
All tests pass with make test
I ensured my PR is ready for review with make reviewable

webstradev requested a review from a team as a code owner

August 26, 2025 09:41

webstradev requested a review from Skarlso

August 26, 2025 09:41

github-project-automation bot added this to External Secrets

Skarlso changed the title ~~Support Pod Identity authentication for Vault Provider~~ feat: support Pod Identity authentication for Vault Provider

jakobmoellerdev reviewed

View reviewed changes

apis/externalsecrets/v1/secretstore_vault_types.go Outdated Show resolved Hide resolved

apis/externalsecrets/v1beta1/secretstore_vault_types.go Outdated

               	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
+              	// When JWTAuth and SecretRef are not specified, the provider will use the controller pod's
+              	// identity to authenticate with AWS. This supports both IRSA and EKS Pod Identity.
+              	// +optional

Contributor

jakobmoellerdev Aug 26, 2025

same as above. were you planning to put a field here?

Contributor Author

webstradev Aug 26, 2025

i resolved the above, however, I'm wondering now if it should be added here in the first place in v1beta1?

pkg/provider/vault/auth_iam.go Outdated Show resolved Hide resolved

pkg/provider/vault/auth_iam.go

+              	}
+              	// everything looks good so far, let's fetch the jwt token from AWS_WEB_IDENTITY_TOKEN_FILE
+              	jwtByte, err := os.ReadFile(filepath.Clean(tokenFile))

Contributor

jakobmoellerdev Aug 26, 2025

why do you do a clean here, but not for stat?

Contributor Author

webstradev Aug 26, 2025

great question, haven't the foggiest as this was code that was already there as well.

I'll clean it for the stat call as well though, that seems sensible

pkg/provider/vault/auth_iam.go Show resolved Hide resolved

Contributor Author

webstradev commented Aug 26, 2025

@jakobmoellerdev Thanks for the quick review, I think i've covered all your comments, let me know if there is anything else!

webstradev requested a review from jakobmoellerdev

August 26, 2025 16:56

gusfcarvalho reviewed

View reviewed changes

pkg/provider/vault/auth_iam.go Outdated Show resolved Hide resolved

webstradev force-pushed the pod-identity-vault-auth branch from ebcc7bb to f5bd905 Compare

August 27, 2025 09:37

github-actions bot added kind/feature kind/documentation size/m labels

webstradev force-pushed the pod-identity-vault-auth branch 2 times, most recently from 678af8b to 354aff5 Compare

August 28, 2025 07:44

webstradev requested a review from gusfcarvalho

September 1, 2025 11:48

Member

gusfcarvalho commented Sep 1, 2025

/ok-to-test sha=354aff55894eda7a37bb2bae5ef3d6447065311c

Contributor

eso-service-account-app bot commented Sep 1, 2025

[Bot] - ✅ e2e for 354aff55894eda7a37bb2bae5ef3d6447065311c passed

webstradev force-pushed the pod-identity-vault-auth branch from 354aff5 to 164347b Compare

September 1, 2025 16:48

Skarlso reviewed

View reviewed changes

pkg/provider/vault/auth_iam.go Outdated

Comment on lines +207 to +227

+              	if claims, ok := token.Claims.(jwt.MapClaims); ok {
+              		k8s, ok := claims["kubernetes.io"].(map[string]any)
+              		if !ok {
+              			return nil, fmt.Errorf(errIrsaTokenNotValidJWT, tokenFile, err)
+              		}
+              		ns, ok = k8s["namespace"].(string)
+              		if !ok {
+              			return nil, fmt.Errorf(errIrsaTokenNotValidJWT, tokenFile, err)
+              		}
+              		saMap, ok := k8s["serviceaccount"].(map[string]any)
+              		if !ok {
+              			return nil, fmt.Errorf(errIrsaTokenNotValidJWT, tokenFile, err)
+              		}
+              		sa, ok = saMap["name"].(string)
+              		if !ok {
+              			return nil, fmt.Errorf(errIrsaTokenNotValidJWT, tokenFile, err)
+              		}
+              	} else {
+              		return nil, fmt.Errorf(errPodInfoNotFoundOnToken, tokenFile, err)
+              	}

Contributor

Skarlso Sep 2, 2025

The err here is nil since it's already checked on line 199.

Contributor Author

webstradev Sep 2, 2025 •

edited

Loading

I'm not entirely sure which error are you referring to. These changes kind of cascaded beyond the scope of what I was working on, because all I did was move this code. Happy to improve it whilst we are touching it though.

I believe once the err is nil for parseUnverified its we need to return an error if the claims are invalid right, I have adjusted the errors slightly to return an invalid claims error for all those cases. I believe this covers both of your comments, but let me know if this doesn't suffice.

Contributor

Skarlso Sep 3, 2025

I'm saying that here:

	token, _, err := parser.ParseUnverified(string(jwtByte), jwt.MapClaims{})
	if err != nil {
		return nil, fmt.Errorf(errIrsaTokenNotValidJWT, tokenFile, err) // JWT token parser error
	}

There was a nil check for the error in these:

return nil, fmt.Errorf(errIrsaTokenNotValidJWT, tokenFile, err)

So in this fmt.Errorf call the error will always be just nil. So might as well just drop it. :)

Contributor Author

webstradev Sep 3, 2025

ow right okay sorry yeah that is my bad lol. That I will fix

Skarlso reviewed

View reviewed changes

pkg/provider/vault/auth_iam.go Outdated Show resolved Hide resolved

Skarlso reviewed

View reviewed changes

pkg/provider/vault/auth_iam.go Outdated Show resolved Hide resolved

webstradev force-pushed the pod-identity-vault-auth branch from 71acecd to f757fda Compare

September 2, 2025 15:14

webstradev requested a review from Skarlso

September 2, 2025 17:17

webstradev force-pushed the pod-identity-vault-auth branch from c50cbb6 to 649a7c7 Compare

September 3, 2025 07:40

webstradev added 6 commits

September 3, 2025 12:06


          tidy: clean requestTokenWithIamAuth function to better support changes.

9416e44

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          feat: add ability to use pod identity (if irsa token is not set and p…

30af6ac

…od identity environment variables are)

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          docs: update documentation to describe support for both IRSA and pod …

…identity

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) remove documentation from v1beta1 and move v1 comment t…

0297b03

…o the struct instead of a non-existent field) so it actually shows up in generated docs.

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) properly catch both unset and empty set values

5bbf9a4

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) clean file path for os.Stat call as well.

8ce24b8

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>

webstradev and others added 6 commits

September 3, 2025 12:06


          (peer-review) make type assertions safer.

1247a3a

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) fix unnecessary fmt.Errorf with no verbs

Co-authored-by: Gustavo Fernandes de Carvalho <17139678+gusfcarvalho@users.noreply.github.com>
Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) explicitly check for missing token claims.

30a8be6

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) return correct errors for invalid token claims.

39b6c14

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) only require the podIdentityURI to be set.

a4480b6

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>


          (peer-review) fix unnecessary nil error in claim validation.

ccbdb04

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>

webstradev force-pushed the pod-identity-vault-auth branch from 649a7c7 to ccbdb04 Compare

September 3, 2025 10:06

Contributor Author

webstradev commented Sep 3, 2025

@Skarlso That should be all your comments sorted now, let me know if there is anything else.

Skarlso approved these changes

View reviewed changes

Contributor

Skarlso left a comment

Well done! Nice work! :) 🙇


          Merge branch 'main' into pod-identity-vault-auth

818ca61

Skarlso merged commit 851d88b into external-secrets:main

6 checks passed

github-project-automation bot moved this to Done in External Secrets

sonarqubecloud bot commented Sep 6, 2025

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

webstradev deleted the pod-identity-vault-auth branch

September 16, 2025 22:06

alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request


          Update Helm release external-secrets to v0.20.1 (#1555)

d438059

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `0.19.2` -> `0.20.1` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v0.20.1`](https://github.com/external-secrets/external-secrets/releases/tag/v0.20.1)

[Compare Source](external-secrets/external-secrets@v0.19.2...v0.20.1)

Image: `ghcr.io/external-secrets/external-secrets:v0.20.1`
Image: `ghcr.io/external-secrets/external-secrets:v0.20.1-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v0.20.1-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

#### What's Changed

##### General

- chore: release 0.19.2 by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5136](external-secrets/external-secrets#5136)
- chore: update readme by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5137](external-secrets/external-secrets#5137)
- fix(kubernetes): make auth field optional by [@&#8203;mhrabovcin](https://github.com/mhrabovcin) in [#&#8203;5064](external-secrets/external-secrets#5064)
- chore: Fix Markdown spelling issues found by codespell by [@&#8203;mjtrangoni](https://github.com/mjtrangoni) in [#&#8203;5139](external-secrets/external-secrets#5139)
- Fix yaml codeblock for oracle-vault provider docs by [@&#8203;muckelba](https://github.com/muckelba) in [#&#8203;5146](external-secrets/external-secrets#5146)
- feat: add liveness probe to eso controller by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;4930](external-secrets/external-secrets#4930)
- fix(helm): add boolean for  processClusterGenerator by [@&#8203;DrummyFloyd](https://github.com/DrummyFloyd) in [#&#8203;5144](external-secrets/external-secrets#5144)
- chore: add Cisco to ADOPTERS.md by [@&#8203;sriaradhyula](https://github.com/sriaradhyula) in [#&#8203;5159](external-secrets/external-secrets#5159)
- docs: Fix provider stability and support table by [@&#8203;jonstacks](https://github.com/jonstacks) in [#&#8203;5161](external-secrets/external-secrets#5161)
- feat(helm): Add control of response to missing prometheus CRDs by [@&#8203;jcpunk](https://github.com/jcpunk) in [#&#8203;5087](external-secrets/external-secrets#5087)
- chore: Added release notes configuration by [@&#8203;bonddim](https://github.com/bonddim) in [#&#8203;5148](external-secrets/external-secrets#5148)
- chore: bump bitwarden helm chart version by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5044](external-secrets/external-secrets#5044)
- chore(docs): update `ADOPTERS.md` to include SAP by [@&#8203;jakobmoellerdev](https://github.com/jakobmoellerdev) in [#&#8203;5165](external-secrets/external-secrets#5165)
- feat: add externalsecret namespace for webhook provider by [@&#8203;matheusmazzoni](https://github.com/matheusmazzoni) in [#&#8203;5155](external-secrets/external-secrets#5155)
- fix: add unknown status for secret store by [@&#8203;alvin-rw](https://github.com/alvin-rw) in [#&#8203;5070](external-secrets/external-secrets#5070)
- Fix pushing to an AWS Secrets Manager Secret when there are no secret values by [@&#8203;nirajsapkota](https://github.com/nirajsapkota) in [#&#8203;4878](external-secrets/external-secrets#4878)
- add extralabels for dashboard to be scraped by multiple grafana instances by [@&#8203;L1ghtman2k](https://github.com/L1ghtman2k) in [#&#8203;5138](external-secrets/external-secrets#5138)
- fix: the api docs are not referencing sshkey generator by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5170](external-secrets/external-secrets#5170)
- Update github.md by [@&#8203;gecube](https://github.com/gecube) in [#&#8203;5171](external-secrets/external-secrets#5171)
- Update anchore-engine-credentials.md by [@&#8203;gecube](https://github.com/gecube) in [#&#8203;5172](external-secrets/external-secrets#5172)
- docs: update infisical docs to clarify missing system:auth-delegator need by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5174](external-secrets/external-secrets#5174)
- Adding support different type auth sources by [@&#8203;preved911](https://github.com/preved911) in [#&#8203;4877](external-secrets/external-secrets#4877)
- fix: stability update document did not update the stability table correctly by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5176](external-secrets/external-secrets#5176)
- Add esv1.AnnotationForceSync for CES and ES by [@&#8203;ntnn](https://github.com/ntnn) in [#&#8203;5156](external-secrets/external-secrets#5156)
- fix: helm build failing by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5178](external-secrets/external-secrets#5178)
- fix: remove release- branch automation by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5182](external-secrets/external-secrets#5182)
- chore: update dependencies by [@&#8203;eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#&#8203;5181](external-secrets/external-secrets#5181)
- docs: update bitwarden documentation for dataFrom field usage by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5196](external-secrets/external-secrets#5196)
- feat: add contributor ladder by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5150](external-secrets/external-secrets#5150)
- feat: support vault provider check and set for push secrets by [@&#8203;webstradev](https://github.com/webstradev) in [#&#8203;5197](external-secrets/external-secrets#5197)
- chore(docs): update helm charts by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5203](external-secrets/external-secrets#5203)
- chore(ci): fix sonarqube security warnings in helm.yml by [@&#8203;webstradev](https://github.com/webstradev) in [#&#8203;5202](external-secrets/external-secrets#5202)
- chore: add pull request maintenance auto labelling and sizes by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5200](external-secrets/external-secrets#5200)
- fix: update the label verification step by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5209](external-secrets/external-secrets#5209)
- feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support by [@&#8203;tuxtof](https://github.com/tuxtof) in [#&#8203;5168](external-secrets/external-secrets#5168)
- feat: improve error message for json marshalling/unmarshalling by [@&#8203;webstradev](https://github.com/webstradev) in [#&#8203;5211](external-secrets/external-secrets#5211)
- chore: enhance `helm-values-schema-json` schema plugin management logic by [@&#8203;jakobmoellerdev](https://github.com/jakobmoellerdev) in [#&#8203;5212](external-secrets/external-secrets#5212)
- fix(aws): stop incrementing the UUID for versions by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5175](external-secrets/external-secrets#5175)
- feat: enable secure serving for metrics \[issue 4614] by [@&#8203;rkferreira](https://github.com/rkferreira) in [#&#8203;5169](external-secrets/external-secrets#5169)
- fix(infisical): fix TokenAuth auth method by escaping the token revocation by [@&#8203;arthlr](https://github.com/arthlr) in [#&#8203;5217](external-secrets/external-secrets#5217)
- fix: tilt build was failing to rebuild by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5225](external-secrets/external-secrets#5225)
- feat: add selectable fields to the CRDs by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5226](external-secrets/external-secrets#5226)
- ref: removing Yandex Cloud specific common types declaration duplication by [@&#8203;preved911](https://github.com/preved911) in [#&#8203;4905](external-secrets/external-secrets#4905)
- fix: missing codeowners file from .github folder by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5228](external-secrets/external-secrets#5228)
- feat: add setting remote namespace to metadata for kubernetes provider by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5224](external-secrets/external-secrets#5224)
- feat: add support for certs only in pkcs12 by [@&#8203;devnopt](https://github.com/devnopt) in [#&#8203;4875](external-secrets/external-secrets#4875)
- docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs by [@&#8203;ionicsolutions](https://github.com/ionicsolutions) in [#&#8203;5208](external-secrets/external-secrets#5208)
- feat: Allow adding finalizers from template by [@&#8203;malovme](https://github.com/malovme) in [#&#8203;5140](external-secrets/external-secrets#5140)
- fix: controller-runtime update by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5239](external-secrets/external-secrets#5239)
- chore: update dependencies by [@&#8203;eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#&#8203;5229](external-secrets/external-secrets#5229)
- fix: Prevent secretstore reconcile loop when provider error response is dynamic by [@&#8203;dakotaharden](https://github.com/dakotaharden) in [#&#8203;5247](external-secrets/external-secrets#5247)
- feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete by [@&#8203;matheusmazzoni](https://github.com/matheusmazzoni) in [#&#8203;5163](external-secrets/external-secrets#5163)
- fix: keepersecurity support for shortcuts by [@&#8203;pepordev](https://github.com/pepordev) in [#&#8203;5245](external-secrets/external-secrets#5245)
- feat: add support for GCP Workload Identity Federation by [@&#8203;bharath-b-rh](https://github.com/bharath-b-rh) in [#&#8203;4654](external-secrets/external-secrets#4654)
- feat: support fetching secrets and certificates by name in Yandex Lockbox & Certificate Manager by [@&#8203;alliseeisgold](https://github.com/alliseeisgold) in [#&#8203;5022](external-secrets/external-secrets#5022)
- chore(charts): Adds new make target for installing unittest plugin by [@&#8203;bharath-b-rh](https://github.com/bharath-b-rh) in [#&#8203;5250](external-secrets/external-secrets#5250)
- docs(templating): added clarifying comments to Github generator example by [@&#8203;nielstenboom](https://github.com/nielstenboom) in [#&#8203;5248](external-secrets/external-secrets#5248)
- feat(release): add new workflow to label first time contributor issues by [@&#8203;mouhsen-ibrahim](https://github.com/mouhsen-ibrahim) in [#&#8203;5243](external-secrets/external-secrets#5243)
- feat(security): Adds an option to make HTTP2 configurable by [@&#8203;siddhibhor-56](https://github.com/siddhibhor-56) in [#&#8203;5231](external-secrets/external-secrets#5231)
- feat: add retry for onepassword on authorization error by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5253](external-secrets/external-secrets#5253)
- fix: handle namespace deletion race conditions with finalizers by [@&#8203;framsouza](https://github.com/framsouza) in [#&#8203;5154](external-secrets/external-secrets#5154)
- docs: update stability and support by [@&#8203;anders-swanson](https://github.com/anders-swanson) in [#&#8203;5257](external-secrets/external-secrets#5257)
- fix(akeyless): Upgrade Akeyless Provider Go SDK to v4 by [@&#8203;kgal-akl](https://github.com/kgal-akl) in [#&#8203;5263](external-secrets/external-secrets#5263)
- feat: support Pod Identity authentication for Vault Provider by [@&#8203;webstradev](https://github.com/webstradev) in [#&#8203;5201](external-secrets/external-secrets#5201)
- feat: add domain field to secretserver provider by [@&#8203;rkferreira](https://github.com/rkferreira) in [#&#8203;5258](external-secrets/external-secrets#5258)
- chore(release): Migrate to actions/create-github-app-token action by [@&#8203;mouhsen-ibrahim](https://github.com/mouhsen-ibrahim) in [#&#8203;5264](external-secrets/external-secrets#5264)
- chore: just updating the crd conformance tests by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5265](external-secrets/external-secrets#5265)
- chore(revert): "chore(release): Migrate to actions/create-github-app-token action" by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5269](external-secrets/external-secrets#5269)
- chore: azure sdk update by [@&#8203;hauswio](https://github.com/hauswio) in [#&#8203;5162](external-secrets/external-secrets#5162)
- feat: add support for fetching Secret by Path on Delinea Secret Server provider by [@&#8203;DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#&#8203;5270](external-secrets/external-secrets#5270)
- feat: migrate from tibdex to actions/create-github-app-token by [@&#8203;rkferreira](https://github.com/rkferreira) in [#&#8203;5286](external-secrets/external-secrets#5286)
- fix: license headers across all Go files - standardize format, add missing copyright, fix typos by [@&#8203;Copilot](https://github.com/Copilot) in [#&#8203;5288](external-secrets/external-secrets#5288)
- fix: the boilerplate was missing the right license format by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5289](external-secrets/external-secrets#5289)
- chore(license): add automated license header checking using Apache SkyWalking Eyes GitHub Action by [@&#8203;Copilot](https://github.com/Copilot) in [#&#8203;5290](external-secrets/external-secrets#5290)
- chore(docs): remove GitHub Discussions references and update support channels by [@&#8203;jakobmoellerdev](https://github.com/jakobmoellerdev) in [#&#8203;5292](external-secrets/external-secrets#5292)
- docs: updated the ladder with two new tracks: documentation and community by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5298](external-secrets/external-secrets#5298)
- docs(release): create upgrading section by [@&#8203;rkferreira](https://github.com/rkferreira) in [#&#8203;5310](external-secrets/external-secrets#5310)
- docs: readme update for health of the project by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5309](external-secrets/external-secrets#5309)
- fix: validate namespace in secretRef by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5311](external-secrets/external-secrets#5311)
- docs: add burnout prevention strategies and mitigation policy document by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5307](external-secrets/external-secrets#5307)
- feat: add missing go sbom by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5313](external-secrets/external-secrets#5313)
- feat: make vault e2e tests run locally by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5246](external-secrets/external-secrets#5246)
- chore: update dependencies by [@&#8203;eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#&#8203;5324](external-secrets/external-secrets#5324)
- feat: add Cloudsmith generator for container registry authentication by [@&#8203;cloudsmith-iduffy](https://github.com/cloudsmith-iduffy) in [#&#8203;5267](external-secrets/external-secrets#5267)
- feat: Add lgtm review automation step to ci workflows. by [@&#8203;webstradev](https://github.com/webstradev) in [#&#8203;5251](external-secrets/external-secrets#5251)
- feat(provider): add Volcengine provider support by [@&#8203;kevinyancn](https://github.com/kevinyancn) in [#&#8203;5306](external-secrets/external-secrets#5306)
- test: add more information to potentially flaky test by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5330](external-secrets/external-secrets#5330)
- fix(docs): Fix typo in controller options doc by [@&#8203;tspearconquest](https://github.com/tspearconquest) in [#&#8203;5299](external-secrets/external-secrets#5299)
- chore(testing): Add licence.check make target by [@&#8203;jonstacks](https://github.com/jonstacks) in [#&#8203;5335](external-secrets/external-secrets#5335)
- docs(gitlab-variables): document environment scope fallback by [@&#8203;s1nyx](https://github.com/s1nyx) in [#&#8203;5300](external-secrets/external-secrets#5300)

##### Dependencies

- chore(deps): bump mkdocs-macros-plugin from 1.3.7 to 1.3.9 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5190](external-secrets/external-secrets#5190)
- chore(deps): bump requests from 2.32.4 to 2.32.5 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5191](external-secrets/external-secrets#5191)
- chore(deps): bump golang from 1.24.6-bookworm to 1.25.0-bookworm in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5189](external-secrets/external-secrets#5189)
- chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5188](external-secrets/external-secrets#5188)
- chore(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5187](external-secrets/external-secrets#5187)
- chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5186](external-secrets/external-secrets#5186)
- chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5184](external-secrets/external-secrets#5184)
- chore(deps): bump golang from 1.24.6 to 1.25.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5194](external-secrets/external-secrets#5194)
- chore(deps): bump github/codeql-action from 3.29.8 to 3.29.11 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5195](external-secrets/external-secrets#5195)
- chore(deps): bump ubi8/ubi from `4f0a4e4` to `7010e70` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5193](external-secrets/external-secrets#5193)
- chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5192](external-secrets/external-secrets#5192)
- chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5198](external-secrets/external-secrets#5198)
- chore(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5199](external-secrets/external-secrets#5199)
- chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5234](external-secrets/external-secrets#5234)
- chore(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5236](external-secrets/external-secrets#5236)
- chore(deps): bump ubi8/ubi from `7010e70` to `534c2c0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5237](external-secrets/external-secrets#5237)
- chore(deps): bump actions/attest-build-provenance from 2.4.0 to 3.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5238](external-secrets/external-secrets#5238)
- chore(deps): bump regex from 2025.7.34 to 2025.8.29 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5242](external-secrets/external-secrets#5242)
- chore(deps): bump platformdirs from 4.3.8 to 4.4.0 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5241](external-secrets/external-secrets#5241)
- chore(deps): bump distroless/static from `2e114d2` to `f2ff10a` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5240](external-secrets/external-secrets#5240)
- chore(deps): bump golang from 1.25.0 to 1.25.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5275](external-secrets/external-secrets#5275)
- chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5274](external-secrets/external-secrets#5274)
- chore(deps): bump actions/stale from 9.1.0 to 10.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5273](external-secrets/external-secrets#5273)
- chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5276](external-secrets/external-secrets#5276)
- chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5279](external-secrets/external-secrets#5279)
- chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5278](external-secrets/external-secrets#5278)
- chore(deps): bump github/codeql-action from 3.29.11 to 3.30.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5277](external-secrets/external-secrets#5277)
- chore(deps): bump markdown from 3.8.2 to 3.9 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5281](external-secrets/external-secrets#5281)
- chore(deps): bump golang from 1.25.0-bookworm to 1.25.1-bookworm in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5280](external-secrets/external-secrets#5280)
- chore(deps): bump regex from 2025.8.29 to 2025.9.1 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5282](external-secrets/external-secrets#5282)
- chore(deps): bump golang from `b6ed3fd` to `b6ed3fd` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5318](external-secrets/external-secrets#5318)
- chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5317](external-secrets/external-secrets#5317)
- chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5319](external-secrets/external-secrets#5319)
- chore(deps): bump distroless/static from `f2ff10a` to `87bce11` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5320](external-secrets/external-secrets#5320)
- chore(deps): bump actions/labeler from 5.0.0 to 6.0.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5323](external-secrets/external-secrets#5323)
- chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5321](external-secrets/external-secrets#5321)
- chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5322](external-secrets/external-secrets#5322)
- chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5339](external-secrets/external-secrets#5339)
- chore(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5344](external-secrets/external-secrets#5344)
- chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5345](external-secrets/external-secrets#5345)
- chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5343](external-secrets/external-secrets#5343)
- chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5340](external-secrets/external-secrets#5340)
- chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5341](external-secrets/external-secrets#5341)
- chore(deps): bump regex from 2025.9.1 to 2025.9.18 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5346](external-secrets/external-secrets#5346)
- chore(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5342](external-secrets/external-secrets#5342)

#### New Contributors

- [@&#8203;mjtrangoni](https://github.com/mjtrangoni) made their first contribution in [#&#8203;5139](external-secrets/external-secrets#5139)
- [@&#8203;muckelba](https://github.com/muckelba) made their first contribution in [#&#8203;5146](external-secrets/external-secrets#5146)
- [@&#8203;DrummyFloyd](https://github.com/DrummyFloyd) made their first contribution in [#&#8203;5144](external-secrets/external-secrets#5144)
- [@&#8203;sriaradhyula](https://github.com/sriaradhyula) made their first contribution in [#&#8203;5159](external-secrets/external-secrets#5159)
- [@&#8203;jonstacks](https://github.com/jonstacks) made their first contribution in [#&#8203;5161](external-secrets/external-secrets#5161)
- [@&#8203;matheusmazzoni](https://github.com/matheusmazzoni) made their first contribution in [#&#8203;5155](external-secrets/external-secrets#5155)
- [@&#8203;nirajsapkota](https://github.com/nirajsapkota) made their first contribution in [#&#8203;4878](external-secrets/external-secrets#4878)
- [@&#8203;L1ghtman2k](https://github.com/L1ghtman2k) made their first contribution in [#&#8203;5138](external-secrets/external-secrets#5138)
- [@&#8203;gecube](https://github.com/gecube) made their first contribution in [#&#8203;5171](external-secrets/external-secrets#5171)
- [@&#8203;preved911](https://github.com/preved911) made their first contribution in [#&#8203;4877](external-secrets/external-secrets#4877)
- [@&#8203;ntnn](https://github.com/ntnn) made their first contribution in [#&#8203;5156](external-secrets/external-secrets#5156)
- [@&#8203;webstradev](https://github.com/webstradev) made their first contribution in [#&#8203;5197](external-secrets/external-secrets#5197)
- [@&#8203;rkferreira](https://github.com/rkferreira) made their first contribution in [#&#8203;5169](external-secrets/external-secrets#5169)
- [@&#8203;arthlr](https://github.com/arthlr) made their first contribution in [#&#8203;5217](external-secrets/external-secrets#5217)
- [@&#8203;devnopt](https://github.com/devnopt) made their first contribution in [#&#8203;4875](external-secrets/external-secrets#4875)
- [@&#8203;dakotaharden](https://github.com/dakotaharden) made their first contribution in [#&#8203;5247](external-secrets/external-secrets#5247)
- [@&#8203;bharath-b-rh](https://github.com/bharath-b-rh) made their first contribution in [#&#8203;4654](external-secrets/external-secrets#4654)
- [@&#8203;alliseeisgold](https://github.com/alliseeisgold) made their first contribution in [#&#8203;5022](external-secrets/external-secrets#5022)
- [@&#8203;nielstenboom](https://github.com/nielstenboom) made their first contribution in [#&#8203;5248](external-secrets/external-secrets#5248)
- [@&#8203;siddhibhor-56](https://github.com/siddhibhor-56) made their first contribution in [#&#8203;5231](external-secrets/external-secrets#5231)
- [@&#8203;framsouza](https://github.com/framsouza) made their first contribution in [#&#8203;5154](external-secrets/external-secrets#5154)
- [@&#8203;kgal-akl](https://github.com/kgal-akl) made their first contribution in [#&#8203;5263](external-secrets/external-secrets#5263)
- [@&#8203;hauswio](https://github.com/hauswio) made their first contribution in [#&#8203;5162](external-secrets/external-secrets#5162)
- [@&#8203;Copilot](https://github.com/Copilot) made their first contribution in [#&#8203;5288](external-secrets/external-secrets#5288)
- [@&#8203;cloudsmith-iduffy](https://github.com/cloudsmith-iduffy) made their first contribution in [#&#8203;5267](external-secrets/external-secrets#5267)
- [@&#8203;kevinyancn](https://github.com/kevinyancn) made their first contribution in [#&#8203;5306](external-secrets/external-secrets#5306)
- [@&#8203;s1nyx](https://github.com/s1nyx) made their first contribution in [#&#8203;5300](external-secrets/external-secrets#5300)

**Full Changelog**: <external-secrets/external-secrets@v0.19.2...v0.20.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjaGFydCJdfQ==-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1555
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/documentation kind/feature size/m