feat(charts): add global values for common deployment configurations#5652
Merged
Skarlso merged 11 commits intoexternal-secrets:mainfrom Dec 11, 2025
Merged
Conversation
igoritos22
approved these changes
Nov 28, 2025
b39aa07 to
cb8bc31
Compare
Contributor
|
This looks reasonable to me. After test fixes ofc. And can you please show some manual testing as well since this is a rather significant update to our helm charts. |
Contributor
|
/ok-to-test sha=bfd23b854ab5f87a6bdc11fef86d098770ac2bba |
Contributor
Contributor
Author
I've included the manual tests in the PR description. Is this format okay for you? |
3d29520 to
909ca73
Compare
Contributor
|
I meant actually installing it and seeing that the variables are working and installation isn't broken :) |
Contributor
Author
oh ok, sorry I installed it on my local Kind cluster and the installation was successful. The logs and controller status are correct, and the labels were also deployed. The commands and logs are in PR description now |
Contributor
|
No worries, I wasn't really clear on that one. :D |
Contributor
|
/ok-to-test sha=909ca731e6d895ad69d01a7b70f9d7531be0fc22 |
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
Signed-off-by: gabryel8818 <gabriel@gmn.dev.br>
909ca73 to
fe00d29
Compare
|
Contributor
Contributor
Author
Hmm, how can I fix this error? I confess I didn't quite understand it. |
Contributor
|
Hmmm, it doesn't seem to be related, but sadly pops up frequently now-a-days. I'll restart it, let's see if it persists. |
Contributor
Skarlso
approved these changes
Dec 10, 2025
psilva310
approved these changes
Dec 10, 2025
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Dec 20, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.1.1` -> `1.2.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0) [Compare Source](external-secrets/external-secrets@v1.1.1...v1.2.0) Image: `ghcr.io/external-secrets/external-secrets:v1.2.0` Image: `ghcr.io/external-secrets/external-secrets:v1.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.2.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: bump 1.1.1 by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5687](external-secrets/external-secrets#5687) - chore: fix the argocd e2e test case by [@​Skarlso](https://github.com/Skarlso) in [#​5688](external-secrets/external-secrets#5688) - feat(provider): add Barbican provider support by [@​rkferreira](https://github.com/rkferreira) in [#​5398](external-secrets/external-secrets#5398) - docs(secretserver): promote secretserver provider to beta by [@​DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#​5668](external-secrets/external-secrets#5668) - feat(controller): add flag to enable/disable secretstore reconcile by [@​Ilhan-Personal](https://github.com/Ilhan-Personal) in [#​5653](external-secrets/external-secrets#5653) - fix(aws-secrets-manager): Apply filtering based on both name and tags if provided by [@​iypetrov](https://github.com/iypetrov) in [#​5685](external-secrets/external-secrets#5685) - fix(gcpsm): SecretExists should check for regional secrets when store location is specified by [@​tokiwong](https://github.com/tokiwong) in [#​5708](external-secrets/external-secrets#5708) - feat: introduce store deprecation by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5711](external-secrets/external-secrets#5711) - feat(charts): add global values for common deployment configurations by [@​Gabryel8818](https://github.com/Gabryel8818) in [#​5652](external-secrets/external-secrets#5652) - feat: add Doppler OIDC-based authentication by [@​mikesellitto](https://github.com/mikesellitto) in [#​5475](external-secrets/external-secrets#5475) - fix: make custom configuration available regardless of environment by [@​Skarlso](https://github.com/Skarlso) in [#​5713](external-secrets/external-secrets#5713) - chore(chart): update bitwarden dependency to v0.5.2 by [@​Skarlso](https://github.com/Skarlso) in [#​5719](external-secrets/external-secrets#5719) - docs(templating): update rbac for generic targets by [@​lostick](https://github.com/lostick) in [#​5736](external-secrets/external-secrets#5736) - fix(testing): Breaking changes should not break ci by [@​evrardjp](https://github.com/evrardjp) in [#​5739](external-secrets/external-secrets#5739) - fix(security): Get rid of getSecretKey by [@​evrardjp](https://github.com/evrardjp) in [#​5738](external-secrets/external-secrets#5738) - fix(aws): parse resource policies into canonical JSON (sorted) before comparing by [@​cmoscofian](https://github.com/cmoscofian) in [#​5622](external-secrets/external-secrets#5622) - docs: Fix example in GCP documentation by [@​headcr4sh](https://github.com/headcr4sh) in [#​5745](external-secrets/external-secrets#5745) - chore(secretserver): update dependencies to accept new DelineaXPM/tss-sdk-go by [@​DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#​5742](external-secrets/external-secrets#5742) - fix(gcpsm): Improve SecretExists method in GCP secret manager provider by [@​tosih](https://github.com/tosih) in [#​5610](external-secrets/external-secrets#5610) - chore(docs): add clarification to helm values being disabled by [@​Skarlso](https://github.com/Skarlso) in [#​5746](external-secrets/external-secrets#5746) - fix(release): apply [`64dc681`](external-secrets/external-secrets@64dc681) to release by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5749](external-secrets/external-secrets#5749) - docs(release): 1.2 stability-support.md by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5750](external-secrets/external-secrets#5750) ##### Dependencies - chore(deps): bump golang from 1.25.4 to 1.25.5 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5693](external-secrets/external-secrets#5693) - chore(deps): bump golang from 1.25.4-bookworm to 1.25.5-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5702](external-secrets/external-secrets#5702) - chore(deps): bump ubi9/ubi from `dcd8128` to `75937d9` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5655](external-secrets/external-secrets#5655) - chore(deps): bump peter-evans/slash-command-dispatch from 5.0.0 to 5.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5695](external-secrets/external-secrets#5695) - chore(deps): bump github/codeql-action from 4.31.5 to 4.31.7 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5696](external-secrets/external-secrets#5696) - chore(deps): bump actions/stale from 10.1.0 to 10.1.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5697](external-secrets/external-secrets#5697) - chore(deps): bump actions/create-github-app-token from 2.2.0 to 2.2.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5700](external-secrets/external-secrets#5700) - chore(deps): bump step-security/harden-runner from 2.13.2 to 2.13.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5698](external-secrets/external-secrets#5698) - chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5699](external-secrets/external-secrets#5699) - chore(deps): bump platformdirs from 4.5.0 to 4.5.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5705](external-secrets/external-secrets#5705) - chore(deps): bump distroless/static from `87bce11` to `4b2a093` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5692](external-secrets/external-secrets#5692) - chore(deps): bump alpine from 3.22 to 3.23 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5703](external-secrets/external-secrets#5703) - chore(deps): bump urllib3 from 2.5.0 to 2.6.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5704](external-secrets/external-secrets#5704) - chore(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5706](external-secrets/external-secrets#5706) - chore(deps): bump alpine from 3.22.2 to 3.23.0 in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5701](external-secrets/external-secrets#5701) - chore(deps): bump golang from `2611181` to `2611181` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5721](external-secrets/external-secrets#5721) - chore(deps): bump codecov/codecov-action from 5.5.1 to 5.5.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5725](external-secrets/external-secrets#5725) - chore(deps): bump urllib3 from 2.6.0 to 2.6.2 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5730](external-secrets/external-secrets#5730) - chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5726](external-secrets/external-secrets#5726) - chore(deps): bump anchore/sbom-action from 0.20.10 to 0.20.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5724](external-secrets/external-secrets#5724) - chore(deps): bump tornado from 6.5.2 to 6.5.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5732](external-secrets/external-secrets#5732) - chore(deps): bump ubi9/ubi from `75937d9` to `d4feb57` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5722](external-secrets/external-secrets#5722) - chore(deps): bump golang from `5117d68` to `09f53de` in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5729](external-secrets/external-secrets#5729) - chore(deps): bump alpine from `4b7ce07` to `51183f2` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5694](external-secrets/external-secrets#5694) - chore(deps): bump hashicorp/setup-terraform from [`712b439`](external-secrets/external-secrets@712b439) to [`071811a`](external-secrets/external-secrets@071811a) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5727](external-secrets/external-secrets#5727) - chore(deps): bump pymdown-extensions from 10.18 to 10.19.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5731](external-secrets/external-secrets#5731) - chore(deps): bump step-security/harden-runner from 2.13.3 to 2.14.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5728](external-secrets/external-secrets#5728) - chore(deps): bump actions/cache from 4.3.0 to 5.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5723](external-secrets/external-secrets#5723) #### New Contributors - [@​iypetrov](https://github.com/iypetrov) made their first contribution in [#​5685](external-secrets/external-secrets#5685) - [@​tokiwong](https://github.com/tokiwong) made their first contribution in [#​5708](external-secrets/external-secrets#5708) - [@​Gabryel8818](https://github.com/Gabryel8818) made their first contribution in [#​5652](external-secrets/external-secrets#5652) - [@​mikesellitto](https://github.com/mikesellitto) made their first contribution in [#​5475](external-secrets/external-secrets#5475) - [@​lostick](https://github.com/lostick) made their first contribution in [#​5736](external-secrets/external-secrets#5736) - [@​cmoscofian](https://github.com/cmoscofian) made their first contribution in [#​5622](external-secrets/external-secrets#5622) - [@​headcr4sh](https://github.com/headcr4sh) made their first contribution in [#​5745](external-secrets/external-secrets#5745) - [@​tosih](https://github.com/tosih) made their first contribution in [#​5610](external-secrets/external-secrets#5610) **Full Changelog**: <external-secrets/external-secrets@v1.1.1...v1.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4zOS4xIiwidXBkYXRlZEluVmVyIjoiNDIuMzkuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2737 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
Currently, when users need to apply common configurations like
podLabels,podAnnotations,imagePullSecrets, or use a customrepositoryacross all three deployments (controller, webhook, and cert-controller), they must declare these values separately for each deployment. This leads to repetitive configuration and makes it harder to maintain consistency across the chart.Proposed Changes
This PR introduces global configuration values that can be used across all deployments in the external-secrets Helm chart. The implementation follows a simple precedence model: local values take priority over global values when defined, otherwise global values are used.
Changes Made:
Added Global Values (
values.yaml):global.podLabels: Global pod labels applied to all deploymentsglobal.podAnnotations: Global pod annotations applied to all deploymentsglobal.imagePullSecrets: Global image pull secrets applied to all deploymentsglobal.repository: Global image repository applied to all deploymentsUpdated Deployment Templates:
deployment.yaml,webhook-deployment.yaml, andcert-controller-deployment.yamlto use if/else logicUpdated Helper Functions (
_helpers.tpl):external-secrets.imagetemplate to supportglobal.repositoryComprehensive Test Coverage:
global_values_test.yamlwith 26 tests covering:Documentation:
make helm.docsto reflect new global valuesWhy This Approach:
Format
Checklist
git commit --signoffmake testmake reviewableDeployment Commands
1. Create Namespace
Output:
2. Install Helm Chart with Global Values
Output:
✅ Installation successful!
Verification
3. Check Deployment Status
Output:
✅ All 3 deployments are running and available (1/1)
4. Check Pod Status
Output:
✅ All 3 pods are running successfully
5. Verify Global podLabels and podAnnotations Applied
kubectl get pod -n external-secrets-test -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.metadata.labels}{"\n\n"}{end}'Output:
✅ Global labels present in ALL pods:
team: platform✓environment: production✓Check Pod Annotations
kubectl get pod -n external-secrets-test -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.metadata.annotations}{"\n\n"}{end}'Output:
✅ Global annotations present in ALL pods:
owner: platform-team✓monitoring: prometheus✓6. Verify Controller Deployment Template
Output:
✅ Global labels and annotations in controller deployment template
7. Verify Webhook Deployment Template
Output:
✅ Global labels and annotations in webhook deployment template
8. Verify Cert-Controller Deployment Template
Output:
✅ Global labels and annotations in cert-controller deployment template
9. Verify Global Repository Applied
kubectl get deployment external-secrets-test -n external-secrets-test -o jsonpath='{.spec.template.spec.containers[0].image}'Output:
✅ Global repository applied:
ghcr.io/external-secrets/external-secrets10. Check Controller Logs
Output:
{"level":"info","ts":1765386499.905142,"msg":"Starting Controller","controller":"secretstore","controllerGroup":"external-secrets.io","controllerKind":"SecretStore"} {"level":"info","ts":1765386499.9051476,"msg":"Starting workers","controller":"secretstore","controllerGroup":"external-secrets.io","controllerKind":"SecretStore","worker count":1} {"level":"info","ts":1765386499.9052277,"msg":"Starting Controller","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret"} {"level":"info","ts":1765386499.9052436,"msg":"Starting workers","controller":"pushsecret","controllerGroup":"external-secrets.io","controllerKind":"PushSecret","worker count":1} {"level":"info","ts":1765386499.9062235,"msg":"Starting Controller","controller":"clusterexternalsecret","controllerGroup":"external-secrets.io","controllerKind":"ClusterExternalSecret"} {"level":"info","ts":1765386499.9062366,"msg":"Starting workers","controller":"clusterexternalsecret","controllerGroup":"external-secrets.io","controllerKind":"ClusterExternalSecret","worker count":1} {"level":"info","ts":1765386499.906286,"msg":"Starting Controller","controller":"clusterpushsecret","controllerGroup":"external-secrets.io","controllerKind":"ClusterPushSecret"} {"level":"info","ts":1765386499.9062984,"msg":"Starting workers","controller":"clusterpushsecret","controllerGroup":"external-secrets.io","controllerKind":"ClusterPushSecret","worker count":1} {"level":"info","ts":1765386499.9063685,"msg":"Starting Controller","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret"} {"level":"info","ts":1765386499.906376,"msg":"Starting workers","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","worker count":1}✅ Controller is running and all workers started successfully
Summary
✅ Deployment Successful
All components deployed and running:
✅ Global Values Applied Successfully
Global podLabels:
team: platform→ Present in all 3 deployments ✓environment: production→ Present in all 3 deployments ✓Global podAnnotations:
owner: platform-team→ Present in all 3 deployments ✓monitoring: prometheus→ Present in all 3 deployments ✓Global repository:
ghcr.io/external-secrets/external-secrets→ Applied to all containers ✓✅ Functionality Verified
Runningstate with 0 restarts