Skip to content

feat: dynamic target implementation for external secrets sources #5470

Merged
Skarlso merged 33 commits intoexternal-secrets:mainfrom
Skarlso:configmap-as-source
Nov 3, 2025
Merged

feat: dynamic target implementation for external secrets sources #5470
Skarlso merged 33 commits intoexternal-secrets:mainfrom
Skarlso:configmap-as-source

Conversation

@Skarlso
Copy link
Copy Markdown
Contributor

@Skarlso Skarlso commented Oct 15, 2025
edited
Loading

Problem Statement

This is an implementation of syncing to a custom resource https://github.com/external-secrets/external-secrets/blob/main/design/012-sync-to-custom-resource.md.

The following changes have been applied to the external secret controller and the external secret object:

  • added manifests to ES to signify what kind of object needs to be tracked
  • overhauled the templating to accommodate unstructured objects instead of just secrets
  • added dynamic watches using informers to all the object kinds ( this implementation registered and deregisters informers based on how many usages are for the current used GVK )
  • modified the external secret controller to check non-secret objects
  • everything else should work the same way as with secrets ( meaning ownership, merging, updating, deleting )
  • added documentation
  • added a feature flag to put all of this behind
  • updated the helm values files to include custom RBAC access for the custom objects

Related Issue

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

  • charts
  • release
  • testing
  • security
  • templating

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@github-actions github-actions bot added size/l kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. and removed size/l labels Oct 15, 2025
Skarlso
Skarlso commented Oct 15, 2025
View reviewed changes
@Skarlso Skarlso force-pushed the configmap-as-source branch from 1da7aa5 to d26410c Compare October 15, 2025 05:38
Skarlso
Skarlso commented Oct 15, 2025
View reviewed changes
gusfcarvalho
gusfcarvalho reviewed Oct 15, 2025
View reviewed changes
gusfcarvalho
gusfcarvalho reviewed Oct 15, 2025
View reviewed changes
gusfcarvalho
gusfcarvalho reviewed Oct 15, 2025
View reviewed changes
gusfcarvalho
gusfcarvalho reviewed Oct 15, 2025
View reviewed changes
@Skarlso Skarlso force-pushed the configmap-as-source branch 5 times, most recently from 09ae0bf to a7e96ed Compare October 16, 2025 20:15
@Skarlso
Copy link
Copy Markdown
Contributor Author

Skarlso commented Oct 22, 2025

Two problems:

  • literals in templates do not work rn
  • dataFrom data is base64 encoded in the target object and you probably don't want that.

jakobmoellerdev
jakobmoellerdev reviewed Oct 22, 2025
View reviewed changes
apis/externalsecrets/v1/externalsecret_types.go Outdated
// ManifestTarget defines a custom Kubernetes resource type to be created
// instead of a Secret. This allows ExternalSecret to create ConfigMaps,
// Custom Resources, or any other Kubernetes resource type.
type ManifestTarget struct {
Copy link
Copy Markdown
Contributor

@jakobmoellerdev jakobmoellerdev Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: This should be called reference in alignment with existing k8s reference concepts, so ManifestReference

pkg/controllers/externalsecret/externalsecret_controller.go Outdated

// watchTracker tracks which GroupVersionKinds we're currently watching
// for non-Secret targets to enable drift detection.
watchTracker WatchTracker
Copy link
Copy Markdown
Contributor

@jakobmoellerdev jakobmoellerdev Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have to be very careful here on implications as discussed in community call. please make sure this watchtracker is properly regulated

Copy link
Copy Markdown
Contributor Author

@Skarlso Skarlso Oct 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm thinking how to do this nicely. :)

Copy link
Copy Markdown
Contributor Author

@Skarlso Skarlso Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

runtime/template/v2/template.go
secret.Data = make(map[string][]byte)
labels[k] = string(val)
obj.SetLabels(labels)
case "data":
Copy link
Copy Markdown
Contributor

@jakobmoellerdev jakobmoellerdev Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if someone sets string data on a configmap? whats the behavior?

Copy link
Copy Markdown
Contributor Author

@Skarlso Skarlso Oct 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will probably fail horribly. :D :D I have to check that as well. :) I assume ( hopefully ) the api would throw back an error that spec ( or any other field ) is not allowed on the given object.

@gusfcarvalho gusfcarvalho mentioned this pull request Oct 23, 2025
Closed
@gusfcarvalho gusfcarvalho linked an issue Oct 23, 2025 that may be closed by this pull request
Creating External Config Maps #2503
Closed
@Skarlso Skarlso force-pushed the configmap-as-source branch 2 times, most recently from 575d088 to aa078e5 Compare October 25, 2025 18:37
Skarlso added 14 commits November 3, 2025 08:31
@Skarlso
working on using the partial object cache instead
4d71705 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
wording in the crd
ddd13ad 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
fixing literal value parsing at path and secret values in none secret…
e42fc42 
… objects

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
pass in the context to the manager in test env
b49fd6b 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
remove the incorrect if check in the indexer for secret targets
4d09807 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
switch to informers
991c60f 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
wire up the infomer to be actually useful
4351b01 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
fix is managed check on ensure informer not allowing to register more…
f73ac03 
… tracking objects

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
added a generator test that can test the manifest usage easily
8daebc0 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
add resource rights and proper enabling of the feature flag
df2766f 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
ward the informer and the deletion in case the feature flag is off
2262900 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso
took care of the context todo and some refactoring
94c8245 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

On-behalf-of: Gergely Brautigam <gergely.brautigam@sap.com>
@Skarlso
renamed non-Secret to Generic resource instead
749b875 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

On-behalf-of: Gergely Brautigam <gergely.brautigam@sap.com>
@Skarlso
extract the defer statement into the if instead of inside the reconci…
a025702 
…leGenericTarget

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso Skarlso force-pushed the configmap-as-source branch from 5cd445d to 606f8ae Compare November 3, 2025 07:31
@Skarlso
Copy link
Copy Markdown
Contributor Author

Skarlso commented Nov 3, 2025

/ok-to-test sha=606f8aec71698a0546710ad6321a3eca2eac814a

@eso-service-account-app
Copy link
Copy Markdown
Contributor

eso-service-account-app bot commented Nov 3, 2025

[Bot] - ❌ e2e for 606f8aec71698a0546710ad6321a3eca2eac814a failed

@Skarlso
adding comment abount status of the feature
86ceaec 
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
@Skarlso Skarlso force-pushed the configmap-as-source branch from 606f8ae to 86ceaec Compare November 3, 2025 07:43
@Skarlso
Copy link
Copy Markdown
Contributor Author

Skarlso commented Nov 3, 2025

/ok-to-test sha=86ceaecee942dba44ef84aaa3947d0417dedfb87

@eso-service-account-app
Copy link
Copy Markdown
Contributor

eso-service-account-app bot commented Nov 3, 2025

[Bot] - ✅ e2e for 86ceaecee942dba44ef84aaa3947d0417dedfb87 passed

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Nov 3, 2025

Quality Gate Passed Quality Gate passed

Issues
1 New issue
3 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Skarlso Skarlso merged commit 640d029 into external-secrets:main Nov 3, 2025
30 checks passed
@github-project-automation github-project-automation bot moved this from In Review to Done in External Secrets Nov 3, 2025
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Nov 10, 2025
@alexlebens
Update Helm release external-secrets to v1 (#1985)
5670195 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | major | `0.20.4` -> `1.0.0` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v1.0.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.0.0)

[Compare Source](external-secrets/external-secrets@v0.20.4...v1.0.0)

Image: `ghcr.io/external-secrets/external-secrets:v1.0.0`
Image: `ghcr.io/external-secrets/external-secrets:v1.0.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v1.0.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

#### What's Changed

##### General

- chore: release helm chart for v0.20.4 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5502](external-secrets/external-secrets#5502)
- chore(actions): fix security alerts for github actions by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5504](external-secrets/external-secrets#5504)
- chore(release): fix incorrect shas from security alert pinning by [@&#8203;jakobmoellerdev](https://github.com/jakobmoellerdev) in [#&#8203;5512](external-secrets/external-secrets#5512)
- chore: update dependencies by [@&#8203;eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#&#8203;5519](external-secrets/external-secrets#5519)
- fix: upgrade go version by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5529](external-secrets/external-secrets#5529)
- fix(charts): normalize certificate duration default value by [@&#8203;aslafy-z](https://github.com/aslafy-z) in [#&#8203;5497](external-secrets/external-secrets#5497)
- chore(revive-linter): add revive linter configuration by [@&#8203;Lumexralph](https://github.com/Lumexralph) in [#&#8203;5515](external-secrets/external-secrets#5515)
- feat: go module separation by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5498](external-secrets/external-secrets#5498)
- fix: update deps script to reflect new go mod structure by [@&#8203;moolen](https://github.com/moolen) in [#&#8203;5532](external-secrets/external-secrets#5532)
- fix: lint by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5536](external-secrets/external-secrets#5536)
- feat: dynamic target implementation for external secrets sources  by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5470](external-secrets/external-secrets#5470)
- fix: codeql should not rebuild the world on every run by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5540](external-secrets/external-secrets#5540)
- fix(onepassword): Reduce API usage by [@&#8203;sondrelg](https://github.com/sondrelg) in [#&#8203;5410](external-secrets/external-secrets#5410)
- feat(esoctl): adds bootstrap generator commands by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5539](external-secrets/external-secrets#5539)
- fix: adds missing externalsecret\_type validation on generatorRef by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in [#&#8203;5547](external-secrets/external-secrets#5547)
- chore(docs): fix the generic resource doc using the incorrect switch by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5548](external-secrets/external-secrets#5548)
- docs(adopters): add Topicus.Education to adopters list by [@&#8203;sboschman](https://github.com/sboschman) in [#&#8203;5551](external-secrets/external-secrets#5551)
- fix(build): use more portable bash by [@&#8203;tiagolobocastro](https://github.com/tiagolobocastro) in [#&#8203;5537](external-secrets/external-secrets#5537)

##### Dependencies

- chore(deps): bump alpine from `4bcff63` to `4b7ce07` in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5507](external-secrets/external-secrets#5507)
- chore(deps): bump golang from 1.25.2 to 1.25.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5506](external-secrets/external-secrets#5506)
- chore(deps): bump golang from `aee43c3` to `aee43c3` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5516](external-secrets/external-secrets#5516)
- chore(deps): bump golang from 1.25.2-bookworm to 1.25.3-bookworm in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5505](external-secrets/external-secrets#5505)
- chore(deps): bump anchore/sbom-action from 0.20.8 to 0.20.9 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5508](external-secrets/external-secrets#5508)
- chore(deps): bump hashicorp/setup-terraform from [`c529327`](external-secrets/external-secrets@c529327) to [`982f6f0`](external-secrets/external-secrets@982f6f0) by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5510](external-secrets/external-secrets#5510)
- chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5513](external-secrets/external-secrets#5513)
- chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5514](external-secrets/external-secrets#5514)
- chore(deps): bump actions/cache from 4.2.4 to 4.3.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5511](external-secrets/external-secrets#5511)
- chore(deps): bump regex from 2025.9.18 to 2025.10.23 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5509](external-secrets/external-secrets#5509)
- chore(deps): bump mkdocs-macros-plugin from 1.4.0 to 1.4.1 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5518](external-secrets/external-secrets#5518)
- chore(deps): bump termcolor from 3.1.0 to 3.2.0 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5517](external-secrets/external-secrets#5517)
- chore(deps): bump github/codeql-action from 4.31.0 to 4.31.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5531](external-secrets/external-secrets#5531)
- chore(deps): bump mkdocs-material from 9.6.22 to 9.6.23 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5533](external-secrets/external-secrets#5533)

#### New Contributors

- [@&#8203;sondrelg](https://github.com/sondrelg) made their first contribution in [#&#8203;5410](external-secrets/external-secrets#5410)
- [@&#8203;tiagolobocastro](https://github.com/tiagolobocastro) made their first contribution in [#&#8203;5537](external-secrets/external-secrets#5537)

**Full Changelog**: <external-secrets/external-secrets@v0.20.4...v1.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4wLjEiLCJ1cGRhdGVkSW5WZXIiOiI0Mi4wLjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1985
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
@github-actions github-actions bot mentioned this pull request Mar 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@riccardomc riccardomc riccardomc left review comments

@moolen moolen moolen approved these changes

@gusfcarvalho gusfcarvalho gusfcarvalho approved these changes

@jakobmoellerdev jakobmoellerdev jakobmoellerdev approved these changes

Assignees

No one assigned

Labels

kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. size/l

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Creating External Config Maps

5 participants

@Skarlso @gusfcarvalho @moolen @riccardomc @jakobmoellerdev