Skip to content

feat(security): build tags for all the providers to disable them on d…#5578

Merged
Skarlso merged 2 commits intoexternal-secrets:mainfrom
ShimonDarshan:feat/add-option-to-build-only-specific-providers-v2
Nov 14, 2025
Merged

feat(security): build tags for all the providers to disable them on d…#5578
Skarlso merged 2 commits intoexternal-secrets:mainfrom
ShimonDarshan:feat/add-option-to-build-only-specific-providers-v2

Conversation

@ShimonDarshan
Copy link
Copy Markdown
Contributor

@ShimonDarshan ShimonDarshan commented Nov 12, 2025
edited
Loading

Problem Statement

Currently, ESO always includes all providers in the build, which can be a security concern for users who want to only include the providers they actually use. There is no way to opt-out of unnecessary providers at build time.

Related Issue

Fixes #5295

Proposed Changes

  • Added support for provider-specific build tags in ESO using Go’s native build tags.
  • Users can now build ESO with only the providers they need by running:
    make build PROVIDER=aws make build PROVIDER="vault,aws"
  • Default behavior remains the same: all providers are built if PROVIDER is not set.
  • This approach improves security and reduces binary footprint for users who do not need all providers.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

  • charts
  • release
  • testing
  • security
  • templating

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

@ShimonDarshan
feat(security): build tags for all the providers to disable them on d…
1bce671 
…emand

Signed-off-by: Shimon Darshan <Shimon.Darshan@gmail.com>
@github-actions github-actions bot added area/security Issues / Pull Requests related to security kind/feature Categorizes issue or PR as related to a new feature. size/l labels Nov 12, 2025
@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Nov 14, 2025

Looks alright. 🤔

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Nov 14, 2025

/ok-to-test sha=1bce671b2db17a3b080157efe08bca6abb5cb039

@eso-service-account-app
Copy link
Copy Markdown
Contributor

eso-service-account-app bot commented Nov 14, 2025

[Bot] - ✅ e2e for 1bce671b2db17a3b080157efe08bca6abb5cb039 passed

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Nov 14, 2025

Honestly, this appears to be working. :D I would like to have some second eyes. But this looks okay to me.

@Skarlso Skarlso moved this to In Review in External Secrets Nov 14, 2025
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Nov 14, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Skarlso Skarlso merged commit fd4f915 into external-secrets:main Nov 14, 2025
29 checks passed
@github-project-automation github-project-automation bot moved this from In Review to Done in External Secrets Nov 14, 2025
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Nov 22, 2025
@alexlebens
Update Helm release external-secrets to v1.1.0 (#2081)
498858c 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.0.0` -> `1.1.0` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v1.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.1.0)

[Compare Source](external-secrets/external-secrets@v1.0.0...v1.1.0)

Image: `ghcr.io/external-secrets/external-secrets:v1.1.0`
Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi-boringssl`

<!-- Release notes generated using configuration in .github/release.yml at main -->

#### What's Changed

!*NOTE*!: During last community meeting we discussed that we are retiring our scarf account. With that, we will be changing back to [ghcr.io/external-secrets/external-secrets](http://ghcr.io/external-secrets/external-secrets) instead of [oci.external-secrets.io/external-secrets/external-secrets](http://oci.external-secrets.io/external-secrets/external-secrets).

For now, the old domain will live for a couple months to give people to change back. With this release , the helm chart switched back to ghcr.

##### General

- chore(chart): release helm chart 1.0.0 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5552](external-secrets/external-secrets#5552)
- feat(security): add support for ECDSA ssh keys by [@&#8203;bigjazzsound](https://github.com/bigjazzsound) in [#&#8203;5559](external-secrets/external-secrets#5559)
- fix: minor typo in comment of KeeperSecurity example by [@&#8203;mdjong1](https://github.com/mdjong1) in [#&#8203;5573](external-secrets/external-secrets#5573)
- docs(gcp): update documentation for using WorkloadIdentityFederation in non-GKE cluster by [@&#8203;jennweir](https://github.com/jennweir) in [#&#8203;5556](external-secrets/external-secrets#5556)
- chore(release): add darwin\_arm64 releases by [@&#8203;lbordowitz](https://github.com/lbordowitz) in [#&#8203;5583](external-secrets/external-secrets#5583)
- feat: support override IAM endpoint in IBM provider for APIkey auth by [@&#8203;fidel-ruiz](https://github.com/fidel-ruiz) in [#&#8203;5550](external-secrets/external-secrets#5550)
- feat(security): build tags for all the providers to disable them on d… by [@&#8203;ShimonDarshan](https://github.com/ShimonDarshan) in [#&#8203;5578](external-secrets/external-secrets#5578)
- fix: do not include the last element of the path in the iteration by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5588](external-secrets/external-secrets#5588)
- fix(k8s): support deleting whole secret by [@&#8203;tiagolobocastro](https://github.com/tiagolobocastro) in [#&#8203;5538](external-secrets/external-secrets#5538)
- fix(provider): configure TLS for secret server provider by [@&#8203;Lumexralph](https://github.com/Lumexralph) in [#&#8203;5558](external-secrets/external-secrets#5558)
- chore(aws): remove any usage of aws-sdk-v1 by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5590](external-secrets/external-secrets#5590)
- fix(gcp): check for secret version exists in PushSecret by [@&#8203;bpalko](https://github.com/bpalko) in [#&#8203;5593](external-secrets/external-secrets#5593)
- feat(vault): add GCP Workload Identity authentication support by [@&#8203;SamuelMolling](https://github.com/SamuelMolling) in [#&#8203;5356](external-secrets/external-secrets#5356)
- chore: fix sonar cloud issues by [@&#8203;Skarlso](https://github.com/Skarlso) in [#&#8203;5405](external-secrets/external-secrets#5405)
- chore(aws-sdk-v2): update dependencies to accept new aws regions by [@&#8203;damienpuig](https://github.com/damienpuig) in [#&#8203;5577](external-secrets/external-secrets#5577)
- feat(chart): use ghcr.io instead of our own domain by [@&#8203;evrardjp](https://github.com/evrardjp) in [#&#8203;5617](external-secrets/external-secrets#5617)

##### Dependencies

- chore(deps): bump golang from 1.25.3 to 1.25.4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5560](external-secrets/external-secrets#5560)
- chore(deps): bump golang from 1.25.3-bookworm to 1.25.4-bookworm in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5568](external-secrets/external-secrets#5568)
- chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5561](external-secrets/external-secrets#5561)
- chore(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5564](external-secrets/external-secrets#5564)
- chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5565](external-secrets/external-secrets#5565)
- chore(deps): bump aws-actions/configure-aws-credentials from [`0d00a56`](external-secrets/external-secrets@0d00a56) to [`2475ef7`](external-secrets/external-secrets@2475ef7) by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5562](external-secrets/external-secrets#5562)
- chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5563](external-secrets/external-secrets#5563)
- chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5567](external-secrets/external-secrets#5567)
- chore(deps): bump regex from 2025.10.23 to 2025.11.3 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5570](external-secrets/external-secrets#5570)
- chore(deps): bump markdown from 3.9 to 3.10 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5569](external-secrets/external-secrets#5569)
- chore(deps): bump hashicorp/setup-terraform from [`982f6f0`](external-secrets/external-secrets@982f6f0) to [`4c5fdab`](external-secrets/external-secrets@4c5fdab) by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5566](external-secrets/external-secrets#5566)
- chore(deps): bump golang from `d3f0cf7` to `d3f0cf7` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5595](external-secrets/external-secrets#5595)
- chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5596](external-secrets/external-secrets#5596)
- chore(deps): bump click from 8.3.0 to 8.3.1 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5602](external-secrets/external-secrets#5602)
- chore(deps): bump ubi9/ubi from `dec374e` to `dcd8128` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5594](external-secrets/external-secrets#5594)
- chore(deps): bump aws-actions/configure-aws-credentials from [`2475ef7`](external-secrets/external-secrets@2475ef7) to [`f2964c7`](external-secrets/external-secrets@f2964c7) by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5597](external-secrets/external-secrets#5597)
- chore(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5598](external-secrets/external-secrets#5598)
- chore(deps): bump pymdown-extensions from 10.16.1 to 10.17.1 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5599](external-secrets/external-secrets#5599)
- chore(deps): bump certifi from 2025.10.5 to 2025.11.12 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5600](external-secrets/external-secrets#5600)
- chore(deps): bump mkdocs-material from 9.6.23 to 9.7.0 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5601](external-secrets/external-secrets#5601)
- chore(deps): bump mkdocs-macros-plugin from 1.4.1 to 1.5.0 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;5603](external-secrets/external-secrets#5603)

#### New Contributors

- [@&#8203;bigjazzsound](https://github.com/bigjazzsound) made their first contribution in [#&#8203;5559](external-secrets/external-secrets#5559)
- [@&#8203;mdjong1](https://github.com/mdjong1) made their first contribution in [#&#8203;5573](external-secrets/external-secrets#5573)
- [@&#8203;jennweir](https://github.com/jennweir) made their first contribution in [#&#8203;5556](external-secrets/external-secrets#5556)
- [@&#8203;lbordowitz](https://github.com/lbordowitz) made their first contribution in [#&#8203;5583](external-secrets/external-secrets#5583)
- [@&#8203;fidel-ruiz](https://github.com/fidel-ruiz) made their first contribution in [#&#8203;5550](external-secrets/external-secrets#5550)
- [@&#8203;ShimonDarshan](https://github.com/ShimonDarshan) made their first contribution in [#&#8203;5578](external-secrets/external-secrets#5578)
- [@&#8203;bpalko](https://github.com/bpalko) made their first contribution in [#&#8203;5593](external-secrets/external-secrets#5593)
- [@&#8203;SamuelMolling](https://github.com/SamuelMolling) made their first contribution in [#&#8203;5356](external-secrets/external-secrets#5356)
- [@&#8203;damienpuig](https://github.com/damienpuig) made their first contribution in [#&#8203;5577](external-secrets/external-secrets#5577)

**Full Changelog**: <external-secrets/external-secrets@v1.0.0...v1.1.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2081
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
efbar added a commit to efbar/os that referenced this pull request Dec 3, 2025
@efbar
fix(external-secrets-operator-1.1): add build tags for provider support
e006bb8 
Version 1.1.0 introduced build tags that make providers opt-in. Without
the all_providers tag, the binary is built with no provider backends,
causing "failed to find registered store backend" errors.

Added tags: all_providers to the go/build pipeline and a test to verify
AWS provider is available by creating a test SecretStore resource.

Ref: external-secrets/external-secrets#5578

Signed-off-by: Francesco Bartolini <francesco.bartolini@chainguard.dev>
@efbar efbar mentioned this pull request Dec 3, 2025
Merged
AmberArcadia pushed a commit to wolfi-dev/os that referenced this pull request Dec 3, 2025
@efbar
fix(external-secrets-operator-1.1): add build tags for provider suppo…
e4610b8 
…rt (#73722)

Version 1.1.0 introduced build tags that make providers opt-in. Without
the all_providers tag, the binary is built with no provider backends,
causing "failed to find registered store backend" errors.

Added tags: all_providers to the go/build pipeline and a test to verify
AWS provider is available by creating a test SecretStore resource.

Ref: external-secrets/external-secrets#5578

Signed-off-by: Francesco Bartolini <francesco.bartolini@chainguard.dev>

<!--ci-cve-scan:fail-any-->

Signed-off-by: Francesco Bartolini <francesco.bartolini@chainguard.dev>
tokiwong pushed a commit to tokiwong/external-secrets that referenced this pull request Dec 9, 2025
@ShimonDarshan @Skarlso @tokiwong
feat(security): build tags for all the providers to disable them on d…
a6246b3 
…emand (external-secrets#5578)

Signed-off-by: Shimon Darshan <Shimon.Darshan@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>
Signed-off-by: Alvin Wong <alvin.wong@forgerock.com>
evrardj-roche added a commit to evrardj-roche/external-secrets that referenced this pull request Jan 20, 2026
@evrardj-roche
fix: Include all providers in default dev build
dea10c5 
Since build tags are used for providers [1], the providers are
included on demand. This is a nice feature.

However, for development, this is error prone, as people might
expect the dev build to include all tags by default.

This is a problem, as it leads to dev errors and issues.

This fixes it by _ensuring_ all the providers are built by default.

[1]: external-secrets#5578

Signed-off-by: Jean-Philippe Evrard <jean-philippe.evrard+rochepub@external.roche.com>
@evrardj-roche evrardj-roche mentioned this pull request Jan 20, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

@gusfcarvalho gusfcarvalho gusfcarvalho approved these changes

Assignees

No one assigned

Labels

area/security Issues / Pull Requests related to security kind/feature Categorizes issue or PR as related to a new feature. size/l

Projects

External Secrets
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: build tags for all the providers to disable them on demand

3 participants

@ShimonDarshan @Skarlso @gusfcarvalho