feat(helm): add readinessProbe support for external-secrets deployment#5831
Merged
Skarlso merged 74 commits intoexternal-secrets:mainfrom Mar 18, 2026
Merged
feat(helm): add readinessProbe support for external-secrets deployment#5831Skarlso merged 74 commits intoexternal-secrets:mainfrom
Skarlso merged 74 commits intoexternal-secrets:mainfrom
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a disabled-by-default Changes
Possibly related PRs
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. 📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip CodeRabbit can scan for known vulnerabilities in your dependencies using OSV Scanner.OSV Scanner will automatically detect and report security vulnerabilities in your project's dependencies. No additional configuration is required. |
a0d5671 to
e9c5c52
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@deploy/charts/external-secrets/templates/deployment.yaml`:
- Around line 139-142: The readinessProbe is conditional but the health endpoint
only starts when livenessProbe is enabled via the --live-addr flag, so add a
guard to enforce or decouple these settings: either (A) add template validation
that errors at render time when .Values.readinessProbe.enabled is true but
.Values.livenessProbe.enabled is false (use a Helm fail or required template
check), or (B) add a new value like .Values.healthServer.enabled and wire it
into both the command args (instead of depending on --live-addr) and the
readinessProbe/livenessProbe conditions so the health server starts whenever
either probe is enabled; reference readinessProbe, livenessProbe, and the
--live-addr flag to locate code to change. Ensure values.yaml is updated with a
comment describing the dependency or the new flag if you choose option B.
🧹 Nitpick comments (1)
deploy/charts/external-secrets/values.yaml (1)
367-388: Structure looks good; consider adding dependency documentation.The readinessProbe configuration mirrors the livenessProbe pattern well, with appropriate defaults (e.g.,
failureThreshold: 3is reasonable for readiness). However, consider adding a comment noting thatlivenessProbe.enabledmust also betruefor the healthz endpoint to be available, since the health server is started via the--live-addrargument controlled by the livenessProbe configuration.📝 Suggested documentation enhancement
readinessProbe: - # -- Enabled determines if the readiness probe should be used or not. By default it's disabled. + # -- Enabled determines if the readiness probe should be used or not. By default it's disabled. + # -- Note: Requires livenessProbe.enabled=true as the healthz endpoint is started by the liveness probe configuration. enabled: false
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
deploy/charts/external-secrets/templates/deployment.yamldeploy/charts/external-secrets/values.yaml
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
007f4b7 to
b4413e6
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@deploy/charts/external-secrets/values.yaml`:
- Around line 367-389: When readinessProbe.enabled is true but
livenessProbe.enabled is false the /healthz endpoint will never be started;
update the Helm templates to enforce the dependency by checking
.Values.readinessProbe.enabled and .Values.livenessProbe.enabled and either (a)
automatically enable liveness (set/override .Values.livenessProbe.enabled to
true or render livenessProbe when readiness is enabled) or (b) emit a template
fail with a clear message; ensure the readinessProbe spec (readinessProbe.spec,
readinessProbe.spec.httpGet.path/port) is only rendered when
livenessProbe.enabled is true or after you auto-toggle livenessProbe.enabled.
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
deploy/charts/external-secrets/values.yaml
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-01-09T19:14:48.246Z
Learnt from: rbstp
Repo: external-secrets/external-secrets PR: 5712
File: config/crds/bases/external-secrets.io_secretstores.yaml:1958-2044
Timestamp: 2026-01-09T19:14:48.246Z
Learning: In external-secrets CRDs, new providers are added to the GA v1 schema only; v1beta1 is maintained for backward compatibility and does not receive new features (e.g., DVLS should be v1-only).
Applied to files:
deploy/charts/external-secrets/values.yaml
🔇 Additional comments (1)
deploy/charts/external-secrets/values.yaml (1)
347-349: No action required. ThelivenessProbe.spec.addressis properly consumed indeployment.yamlline 123 (--live-addr={{ .Values.livenessProbe.spec.address }}:{{ .Values.livenessProbe.spec.httpGet.port }}), and the readiness probe dependency is already enforced via the guard atdeployment.yamllines 139–140.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
8f7051c to
b7f7f62
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@deploy/charts/external-secrets/templates/deployment.yaml`:
- Around line 122-124: The --live-addr flag currently always uses
.Values.livenessProbe.spec.httpGet.port which breaks cases where only
readinessProbe is enabled; change the template logic that renders the
--live-addr value to select the port from the enabled probe (use
.Values.readinessProbe.spec.httpGet.port when .Values.readinessProbe.enabled and
fallback to .Values.livenessProbe.spec.httpGet.port otherwise), and when both
.Values.livenessProbe.enabled and .Values.readinessProbe.enabled are true
optionally emit a warning or validate that
.Values.livenessProbe.spec.httpGet.port ==
.Values.readinessProbe.spec.httpGet.port to avoid mismatched ports; update the
conditional around the --live-addr rendering so the flag uses the selected port
variable.
📜 Review details
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
deploy/charts/external-secrets/templates/deployment.yamldeploy/charts/external-secrets/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- deploy/charts/external-secrets/values.yaml
🔇 Additional comments (1)
deploy/charts/external-secrets/templates/deployment.yaml (1)
139-142: Readiness probe block looks good.Conditional render and spec wiring are consistent with the livenessProbe pattern.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@deploy/charts/external-secrets/templates/deployment.yaml`:
- Around line 122-125: The template always uses
.Values.livenessProbe.spec.address for the --live-addr flag which breaks when
only readinessProbe is enabled; update the template to pick the address with the
same ternary pattern used for $healthPort (e.g., compute $healthAddr := ternary
.Values.livenessProbe.spec.address .Values.readinessProbe.spec.address
.Values.livenessProbe.enabled and use --live-addr={{ $healthAddr }}:{{
$healthPort }}), and also add an address field to readinessProbe.spec in
values.yaml (e.g., address: "") so the readiness path has a defined value.
🧹 Nitpick comments (1)
deploy/charts/external-secrets/templates/deployment.yaml (1)
140-143: Useomit "address"for consistency with livenessProbe.The livenessProbe rendering (line 138) uses
omit .Values.livenessProbe.spec "address"to exclude the internaladdressfield from the Kubernetes probe spec. The readinessProbe should follow the same pattern for consistency, especially ifaddressis added toreadinessProbe.specas suggested above.♻️ Suggested change
{{- if .Values.readinessProbe.enabled }} readinessProbe: -{{- toYaml .Values.readinessProbe.spec | nindent 12 }} +{{- toYaml (omit .Values.readinessProbe.spec "address") | nindent 12 }} {{- end }}
67e9af3 to
76cdd03
Compare
|
Contributor
|
With #5775 merged, I would prefer to use port names where possible |
Contributor
|
Go for it. |
76cdd03 to
e3a8fdc
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
deploy/charts/external-secrets/templates/deployment.yaml (1)
145-153: Optional: extract duplicated$probeSpecternary into a named template.The
$probeSpecderivation at line 128 and line 146 is identical:{{- $probeSpec := ternary .Values.livenessProbe.spec .Values.readinessProbe.spec .Values.livenessProbe.enabled }}Because Helm template variables don't cross
{{- if }}block boundaries, the expression is necessarily repeated. Extracting this into a small named partial (define "external-secrets.probeSpec") would make future changes to the selection logic a single-point edit.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deploy/charts/external-secrets/templates/deployment.yaml` around lines 145 - 153, The duplicated ternary that computes $probeSpec (the expression "ternary .Values.livenessProbe.spec .Values.readinessProbe.spec .Values.livenessProbe.enabled") is repeated across blocks; extract it into a reusable named template (e.g. define "external-secrets.probeSpec") and replace both inline expressions with a call to that template to return the chosen spec; update references that expect $probeSpec (in templates using containerPort/httpGet.port checks and other probe logic) to call the named template and capture its result into a local variable (e.g. $probeSpec) before use.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@deploy/charts/external-secrets/templates/deployment.yaml`:
- Around line 127-134: The template silently picks livenessProbe.spec when both
livenessProbe.enabled and readinessProbe.enabled are true, which can mismatch
readinessProbe.spec.httpGet.port; add a Helm validation guard inside the
existing {{- if or .Values.livenessProbe.enabled .Values.readinessProbe.enabled
}} block (before $probeSpec is used) that checks when both
.Values.livenessProbe.enabled and .Values.readinessProbe.enabled are true and
the ports differ (compare .Values.livenessProbe.spec.httpGet.port vs
.Values.readinessProbe.spec.httpGet.port or the string/number variants) and call
fail with a clear message instructing to make ports match (mention the fields
livenessProbe.spec.httpGet.port and readinessProbe.spec.httpGet.port); this
enforces the documented requirement at template render time and prevents the
--live-addr / readiness mismatch.
---
Nitpick comments:
In `@deploy/charts/external-secrets/templates/deployment.yaml`:
- Around line 145-153: The duplicated ternary that computes $probeSpec (the
expression "ternary .Values.livenessProbe.spec .Values.readinessProbe.spec
.Values.livenessProbe.enabled") is repeated across blocks; extract it into a
reusable named template (e.g. define "external-secrets.probeSpec") and replace
both inline expressions with a call to that template to return the chosen spec;
update references that expect $probeSpec (in templates using
containerPort/httpGet.port checks and other probe logic) to call the named
template and capture its result into a local variable (e.g. $probeSpec) before
use.
ℹ️ Review info
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (4)
deploy/charts/external-secrets/README.mddeploy/charts/external-secrets/templates/deployment.yamldeploy/charts/external-secrets/values.schema.jsondeploy/charts/external-secrets/values.yaml
🚧 Files skipped from review as they are similar to previous changes (3)
- deploy/charts/external-secrets/values.yaml
- deploy/charts/external-secrets/README.md
- deploy/charts/external-secrets/values.schema.json
e3a8fdc to
a640155
Compare
Contributor
Author
Contributor
|
@AlexOQ You are still missing modifying main to actually add the readiness check. Also I left you a comment on the coderrabbit if you fixed that one. |
Contributor
|
@AlexOQ could you please sign your commits? :) |
86ad91d to
fa16376
Compare
Contributor
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
- Add readinessProbe configuration mirroring livenessProbe pattern - Use named port 'live' for httpGet.port (aligned with PR external-secrets#5775) - Reuse 'live' named port for readinessProbe since both probes share the same health server endpoint (/healthz on port 8082) - Add spec.port for actual port number configuration - Update --live-addr to start health server when either probe is enabled - Handle kindOf check for string (named port) vs integer port values - Add validation guard to fail if both probes enabled with mismatched ports Fixes external-secrets#5776 Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…ets#5984) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…crets#5985) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…rnal-secrets#6094) Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.5.4 to 6.5.5. - [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst) - [Commits](tornadoweb/tornado@v6.5.4...v6.5.5) --- updated-dependencies: - dependency-name: tornado dependency-version: 6.5.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…ets#6095) Bumps [charset-normalizer](https://github.com/jawah/charset_normalizer) from 3.4.5 to 3.4.6. - [Release notes](https://github.com/jawah/charset_normalizer/releases) - [Changelog](https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md) - [Commits](jawah/charset_normalizer@3.4.5...3.4.6) --- updated-dependencies: - dependency-name: charset-normalizer dependency-version: 3.4.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…xternal-secrets#6089) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…rnal-secrets#6092) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…... (external-secrets#6056) Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…... (external-secrets#6036) Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…ates (external-secrets#6058) Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…ternal-secrets#6090) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
…l-secrets#6102) Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
73f7234 to
d7fd3cb
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
deploy/charts/external-secrets/README.md (1)
187-196: Minor observation on documentation clarity.The documentation for
readinessProbe.enabled(line 187) combines two concepts: the enabled toggle description and the health server configuration note. This appears to be generated from the YAML comments, but the description column shows "The health server address/port is configured via livenessProbe.spec.address and livenessProbe.spec.port" which is actually from the note comment rather than the primary description.This is likely an artifact of how the README is generated from YAML comments. The behavior is correct, and the note is helpful context, but consider whether the description column should focus on the primary purpose ("Enabled determines if the readiness probe should be used or not") with the health server note as supplementary information.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deploy/charts/external-secrets/README.md` around lines 187 - 196, Update the README entry for readinessProbe.enabled so the description focuses on its primary purpose (e.g., "Determines whether the readiness probe is enabled") and move the health-server configuration note into a separate supplemental sentence or note referencing livenessProbe.spec.address and livenessProbe.spec.port; locate and change the source comment that generates the README (the YAML comment used to create the table row for readinessProbe.enabled) so it no longer mixes the primary description with the livenessProbe address/port note.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@deploy/charts/external-secrets/README.md`:
- Around line 187-196: Update the README entry for readinessProbe.enabled so the
description focuses on its primary purpose (e.g., "Determines whether the
readiness probe is enabled") and move the health-server configuration note into
a separate supplemental sentence or note referencing livenessProbe.spec.address
and livenessProbe.spec.port; locate and change the source comment that generates
the README (the YAML comment used to create the table row for
readinessProbe.enabled) so it no longer mixes the primary description with the
livenessProbe address/port note.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 0b6b72a8-6039-4d92-b8dd-9e32b12fd882
📒 Files selected for processing (6)
cmd/controller/root.godeploy/charts/external-secrets/README.mddeploy/charts/external-secrets/templates/deployment.yamldeploy/charts/external-secrets/tests/controller_test.yamldeploy/charts/external-secrets/values.schema.jsondeploy/charts/external-secrets/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- deploy/charts/external-secrets/templates/deployment.yaml
Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>
|
Skarlso
approved these changes
Mar 18, 2026
Contributor
|
/ok-to-test sha=0f6f905bd5d66a6368f8e6b402f46d07468c2d8d |
Contributor
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Mar 20, 2026
…2.2.0 (#4923) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.1.0` → `v2.2.0` | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: release charts v2.1.0 by [@​Skarlso](https://github.com/Skarlso) in [#​6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@​Skarlso](https://github.com/Skarlso) in [#​6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@​othomann](https://github.com/othomann) in [#​6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@​evs-secops](https://github.com/evs-secops) in [#​6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@​Skarlso](https://github.com/Skarlso) in [#​6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@​patjlm](https://github.com/patjlm) in [#​5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@​jaruwat-panturat](https://github.com/jaruwat-panturat) in [#​6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@​chadxz](https://github.com/chadxz) in [#​6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@​mateenali66](https://github.com/mateenali66) in [#​6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@​mateenali66](https://github.com/mateenali66) in [#​6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@​cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#​5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@​johnvox](https://github.com/johnvox) in [#​6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@​Skarlso](https://github.com/Skarlso) in [#​6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@​Skarlso](https://github.com/Skarlso) in [#​6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@​Br1an67](https://github.com/Br1an67) in [#​6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@​Br1an67](https://github.com/Br1an67) in [#​6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@​mzdeb](https://github.com/mzdeb) in [#​6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@​lucpas](https://github.com/lucpas) in [#​6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@​Skarlso](https://github.com/Skarlso) in [#​6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@​AlexOQ](https://github.com/AlexOQ) in [#​5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@​Skarlso](https://github.com/Skarlso) in [#​6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@​muraliavarma](https://github.com/muraliavarma) in [#​5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@​heavyandrew](https://github.com/heavyandrew) in [#​5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@​riccardomc](https://github.com/riccardomc) in [#​6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6091](external-secrets/external-secrets#6091) #### New Contributors - [@​othomann](https://github.com/othomann) made their first contribution in [#​6052](external-secrets/external-secrets#6052) - [@​evs-secops](https://github.com/evs-secops) made their first contribution in [#​6025](external-secrets/external-secrets#6025) - [@​patjlm](https://github.com/patjlm) made their first contribution in [#​5922](external-secrets/external-secrets#5922) - [@​jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#​6068](external-secrets/external-secrets#6068) - [@​chadxz](https://github.com/chadxz) made their first contribution in [#​6073](external-secrets/external-secrets#6073) - [@​mateenali66](https://github.com/mateenali66) made their first contribution in [#​6074](external-secrets/external-secrets#6074) - [@​cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#​5919](external-secrets/external-secrets#5919) - [@​johnvox](https://github.com/johnvox) made their first contribution in [#​6086](external-secrets/external-secrets#6086) - [@​Br1an67](https://github.com/Br1an67) made their first contribution in [#​6056](external-secrets/external-secrets#6056) - [@​mzdeb](https://github.com/mzdeb) made their first contribution in [#​6058](external-secrets/external-secrets#6058) - [@​lucpas](https://github.com/lucpas) made their first contribution in [#​6102](external-secrets/external-secrets#6102) - [@​AlexOQ](https://github.com/AlexOQ) made their first contribution in [#​5831](external-secrets/external-secrets#5831) - [@​muraliavarma](https://github.com/muraliavarma) made their first contribution in [#​5935](external-secrets/external-secrets#5935) - [@​heavyandrew](https://github.com/heavyandrew) made their first contribution in [#​5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4923 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Mar 20, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.1.0` → `2.2.0` | --- >⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> ##### What's Changed ##### General - chore: release charts v2.1.0 by [@​Skarlso](https://github.com/Skarlso) in [#​6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@​Skarlso](https://github.com/Skarlso) in [#​6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@​othomann](https://github.com/othomann) in [#​6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@​evs-secops](https://github.com/evs-secops) in [#​6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@​Skarlso](https://github.com/Skarlso) in [#​6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@​patjlm](https://github.com/patjlm) in [#​5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@​jaruwat-panturat](https://github.com/jaruwat-panturat) in [#​6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@​chadxz](https://github.com/chadxz) in [#​6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@​mateenali66](https://github.com/mateenali66) in [#​6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@​mateenali66](https://github.com/mateenali66) in [#​6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@​cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#​5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@​johnvox](https://github.com/johnvox) in [#​6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@​Skarlso](https://github.com/Skarlso) in [#​6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@​Skarlso](https://github.com/Skarlso) in [#​6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@​Br1an67](https://github.com/Br1an67) in [#​6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@​Br1an67](https://github.com/Br1an67) in [#​6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@​mzdeb](https://github.com/mzdeb) in [#​6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@​lucpas](https://github.com/lucpas) in [#​6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@​Skarlso](https://github.com/Skarlso) in [#​6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@​AlexOQ](https://github.com/AlexOQ) in [#​5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@​Skarlso](https://github.com/Skarlso) in [#​6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@​muraliavarma](https://github.com/muraliavarma) in [#​5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@​heavyandrew](https://github.com/heavyandrew) in [#​5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@​riccardomc](https://github.com/riccardomc) in [#​6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​6091](external-secrets/external-secrets#6091) ##### New Contributors - [@​othomann](https://github.com/othomann) made their first contribution in [#​6052](external-secrets/external-secrets#6052) - [@​evs-secops](https://github.com/evs-secops) made their first contribution in [#​6025](external-secrets/external-secrets#6025) - [@​patjlm](https://github.com/patjlm) made their first contribution in [#​5922](external-secrets/external-secrets#5922) - [@​jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#​6068](external-secrets/external-secrets#6068) - [@​chadxz](https://github.com/chadxz) made their first contribution in [#​6073](external-secrets/external-secrets#6073) - [@​mateenali66](https://github.com/mateenali66) made their first contribution in [#​6074](external-secrets/external-secrets#6074) - [@​cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#​5919](external-secrets/external-secrets#5919) - [@​johnvox](https://github.com/johnvox) made their first contribution in [#​6086](external-secrets/external-secrets#6086) - [@​Br1an67](https://github.com/Br1an67) made their first contribution in [#​6056](external-secrets/external-secrets#6056) - [@​mzdeb](https://github.com/mzdeb) made their first contribution in [#​6058](external-secrets/external-secrets#6058) - [@​lucpas](https://github.com/lucpas) made their first contribution in [#​6102](external-secrets/external-secrets#6102) - [@​AlexOQ](https://github.com/AlexOQ) made their first contribution in [#​5831](external-secrets/external-secrets#5831) - [@​muraliavarma](https://github.com/muraliavarma) made their first contribution in [#​5935](external-secrets/external-secrets#5935) - [@​heavyandrew](https://github.com/heavyandrew) made their first contribution in [#​5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4yIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhcnQiXX0=--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4927 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds optional
readinessProbeconfiguration for the main external-secrets deployment, addressing #5776.Changes:
readinessProbeconfiguration section tovalues.yamlmirroring the existinglivenessProbepatterndeployment.yamlConfiguration Example
Testing
helm lintpasseshelm templaterenders correctly withreadinessProbe.enabled=truehelm templaterenders correctly with default values (no readinessProbe in main deployment)Fixes #5776
Adds optional readinessProbe support for external-secrets Deployment
This PR introduces an optional, configurable readinessProbe for the external-secrets Helm chart to address linter warnings and enable Kubernetes readiness checks (fixes #5776). Readiness is disabled by default for backward compatibility.
Key changes:
Testing:
Backward compatibility: readinessProbe is opt-in (disabled by default); existing behavior unchanged unless enabled.