feat(security): add support for ECDSA ssh keys#5559
Merged
Skarlso merged 2 commits intoexternal-secrets:mainfrom Nov 10, 2025
Merged
feat(security): add support for ECDSA ssh keys#5559Skarlso merged 2 commits intoexternal-secrets:mainfrom
Skarlso merged 2 commits intoexternal-secrets:mainfrom
Conversation
Signed-off-by: Craig Fielder <craig.fielder@teslagovernment.com>
Skarlso
approved these changes
Nov 10, 2025
|
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Nov 22, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.0.0` -> `1.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.1.0) [Compare Source](external-secrets/external-secrets@v1.0.0...v1.1.0) Image: `ghcr.io/external-secrets/external-secrets:v1.1.0` Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed !*NOTE*!: During last community meeting we discussed that we are retiring our scarf account. With that, we will be changing back to [ghcr.io/external-secrets/external-secrets](http://ghcr.io/external-secrets/external-secrets) instead of [oci.external-secrets.io/external-secrets/external-secrets](http://oci.external-secrets.io/external-secrets/external-secrets). For now, the old domain will live for a couple months to give people to change back. With this release , the helm chart switched back to ghcr. ##### General - chore(chart): release helm chart 1.0.0 by [@​Skarlso](https://github.com/Skarlso) in [#​5552](external-secrets/external-secrets#5552) - feat(security): add support for ECDSA ssh keys by [@​bigjazzsound](https://github.com/bigjazzsound) in [#​5559](external-secrets/external-secrets#5559) - fix: minor typo in comment of KeeperSecurity example by [@​mdjong1](https://github.com/mdjong1) in [#​5573](external-secrets/external-secrets#5573) - docs(gcp): update documentation for using WorkloadIdentityFederation in non-GKE cluster by [@​jennweir](https://github.com/jennweir) in [#​5556](external-secrets/external-secrets#5556) - chore(release): add darwin\_arm64 releases by [@​lbordowitz](https://github.com/lbordowitz) in [#​5583](external-secrets/external-secrets#5583) - feat: support override IAM endpoint in IBM provider for APIkey auth by [@​fidel-ruiz](https://github.com/fidel-ruiz) in [#​5550](external-secrets/external-secrets#5550) - feat(security): build tags for all the providers to disable them on d… by [@​ShimonDarshan](https://github.com/ShimonDarshan) in [#​5578](external-secrets/external-secrets#5578) - fix: do not include the last element of the path in the iteration by [@​Skarlso](https://github.com/Skarlso) in [#​5588](external-secrets/external-secrets#5588) - fix(k8s): support deleting whole secret by [@​tiagolobocastro](https://github.com/tiagolobocastro) in [#​5538](external-secrets/external-secrets#5538) - fix(provider): configure TLS for secret server provider by [@​Lumexralph](https://github.com/Lumexralph) in [#​5558](external-secrets/external-secrets#5558) - chore(aws): remove any usage of aws-sdk-v1 by [@​Skarlso](https://github.com/Skarlso) in [#​5590](external-secrets/external-secrets#5590) - fix(gcp): check for secret version exists in PushSecret by [@​bpalko](https://github.com/bpalko) in [#​5593](external-secrets/external-secrets#5593) - feat(vault): add GCP Workload Identity authentication support by [@​SamuelMolling](https://github.com/SamuelMolling) in [#​5356](external-secrets/external-secrets#5356) - chore: fix sonar cloud issues by [@​Skarlso](https://github.com/Skarlso) in [#​5405](external-secrets/external-secrets#5405) - chore(aws-sdk-v2): update dependencies to accept new aws regions by [@​damienpuig](https://github.com/damienpuig) in [#​5577](external-secrets/external-secrets#5577) - feat(chart): use ghcr.io instead of our own domain by [@​evrardjp](https://github.com/evrardjp) in [#​5617](external-secrets/external-secrets#5617) ##### Dependencies - chore(deps): bump golang from 1.25.3 to 1.25.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5560](external-secrets/external-secrets#5560) - chore(deps): bump golang from 1.25.3-bookworm to 1.25.4-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5568](external-secrets/external-secrets#5568) - chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5561](external-secrets/external-secrets#5561) - chore(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5564](external-secrets/external-secrets#5564) - chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5565](external-secrets/external-secrets#5565) - chore(deps): bump aws-actions/configure-aws-credentials from [`0d00a56`](external-secrets/external-secrets@0d00a56) to [`2475ef7`](external-secrets/external-secrets@2475ef7) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5562](external-secrets/external-secrets#5562) - chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5563](external-secrets/external-secrets#5563) - chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5567](external-secrets/external-secrets#5567) - chore(deps): bump regex from 2025.10.23 to 2025.11.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5570](external-secrets/external-secrets#5570) - chore(deps): bump markdown from 3.9 to 3.10 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5569](external-secrets/external-secrets#5569) - chore(deps): bump hashicorp/setup-terraform from [`982f6f0`](external-secrets/external-secrets@982f6f0) to [`4c5fdab`](external-secrets/external-secrets@4c5fdab) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5566](external-secrets/external-secrets#5566) - chore(deps): bump golang from `d3f0cf7` to `d3f0cf7` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5595](external-secrets/external-secrets#5595) - chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5596](external-secrets/external-secrets#5596) - chore(deps): bump click from 8.3.0 to 8.3.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5602](external-secrets/external-secrets#5602) - chore(deps): bump ubi9/ubi from `dec374e` to `dcd8128` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5594](external-secrets/external-secrets#5594) - chore(deps): bump aws-actions/configure-aws-credentials from [`2475ef7`](external-secrets/external-secrets@2475ef7) to [`f2964c7`](external-secrets/external-secrets@f2964c7) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5597](external-secrets/external-secrets#5597) - chore(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5598](external-secrets/external-secrets#5598) - chore(deps): bump pymdown-extensions from 10.16.1 to 10.17.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5599](external-secrets/external-secrets#5599) - chore(deps): bump certifi from 2025.10.5 to 2025.11.12 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5600](external-secrets/external-secrets#5600) - chore(deps): bump mkdocs-material from 9.6.23 to 9.7.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5601](external-secrets/external-secrets#5601) - chore(deps): bump mkdocs-macros-plugin from 1.4.1 to 1.5.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5603](external-secrets/external-secrets#5603) #### New Contributors - [@​bigjazzsound](https://github.com/bigjazzsound) made their first contribution in [#​5559](external-secrets/external-secrets#5559) - [@​mdjong1](https://github.com/mdjong1) made their first contribution in [#​5573](external-secrets/external-secrets#5573) - [@​jennweir](https://github.com/jennweir) made their first contribution in [#​5556](external-secrets/external-secrets#5556) - [@​lbordowitz](https://github.com/lbordowitz) made their first contribution in [#​5583](external-secrets/external-secrets#5583) - [@​fidel-ruiz](https://github.com/fidel-ruiz) made their first contribution in [#​5550](external-secrets/external-secrets#5550) - [@​ShimonDarshan](https://github.com/ShimonDarshan) made their first contribution in [#​5578](external-secrets/external-secrets#5578) - [@​bpalko](https://github.com/bpalko) made their first contribution in [#​5593](external-secrets/external-secrets#5593) - [@​SamuelMolling](https://github.com/SamuelMolling) made their first contribution in [#​5356](external-secrets/external-secrets#5356) - [@​damienpuig](https://github.com/damienpuig) made their first contribution in [#​5577](external-secrets/external-secrets#5577) **Full Changelog**: <external-secrets/external-secrets@v1.0.0...v1.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2081 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
I work in a highly regulated environment in which the only approved SSH key type is ECDSA. Currently the SSHKey generator only supports RSA and ED25519 key types.
Proposed Changes
I've added functionality to the SSHKey generator to support the creation of ECDSA keys. Its mostly just a copy of the RSA key generator, but supports the standard key sizes of an ECDSA key.
Checklist
git commit --signoffmake testmake reviewable