feat(charts): add hostAliases support by janlauber · Pull Request #5866 · external-secrets/external-secrets

janlauber · 2026-01-25T11:16:17Z

Problem Statement

The external-secrets Helm chart currently doesn't support adding custom hostAliases to pods, which is needed for DNS resolution in air-gapped environments or when custom hostname mappings are required.

Related Issue

#5865

Proposed Changes

Add support for hostAliases configuration in the Helm chart, allowing users to add custom entries to /etc/hosts for all three deployments (controller, webhook, cert-controller).

The implementation follows the existing pattern used for other pod-level configurations like tolerations and nodeSelector, supporting both:

Global defaults via global.hostAliases
Component-specific overrides via hostAliases, webhook.hostAliases, and certController.hostAliases

Format

PR title follows format: feat(charts): add hostAliases support

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage (15 new test cases added)
All tests pass with make helm.test (166 tests passed)
I ensured my PR is ready for review with make reviewable (can be done after PR creation if CI passes)

Summary

Adds hostAliases support to the Helm chart to allow adding custom entries to pod /etc/hosts (useful for air-gapped environments and custom hostname mappings).

Changes

Configuration:
- Introduced hostAliases at global (global.hostAliases), root/controller (hostAliases), and component levels (webhook.hostAliases, certController.hostAliases).
- Component-level values take precedence over global defaults.
- Updated values.yaml with empty hostAliases arrays and values.schema.json with new hostAliases properties.
Templates:
- Added conditional hostAliases blocks to controller (root deployment), webhook, and cert-controller deployment templates. Each uses component-level value with fallback to global.hostAliases.
Testing:
- Added ~15 test cases across controller, webhook, and cert-controller tests verifying default absence, component rendering, global fallback, and precedence.
- All tests pass (166 tests).
Documentation:
- Updated chart README to document the new hostAliases options.

Signed-off-by: Jan Lauber <jan.lauber@protonmail.ch>

coderabbitai · 2026-01-25T11:16:41Z

Walkthrough

Adds optional hostAliases support to the external-secrets Helm chart: new values and schema entries, conditional hostAliases rendering in controller, webhook, and cert-controller Deployment templates, updated defaults and README, and tests verifying presence, fallback, and precedence behavior.

Changes

Cohort / File(s)	Summary
Documentation & README `deploy/charts/external-secrets/README.md`	Added documentation entries for new hostAliases configuration locations.
Schema `deploy/charts/external-secrets/values.schema.json`	Added `hostAliases` array properties at root, `certController`, `webhook`, and `global.compatibility` to validate hostAliases values.
Deployment Templates `deploy/charts/external-secrets/templates/deployment.yaml`, `deploy/charts/external-secrets/templates/webhook-deployment.yaml`, `deploy/charts/external-secrets/templates/cert-controller-deployment.yaml`	Inserted conditional `hostAliases` blocks into pod specs; each uses component-level `hostAliases` with fallback to `global.hostAliases` and renders via `toYaml` when present.
Default Values `deploy/charts/external-secrets/values.yaml`	Added empty `hostAliases: []` defaults at root deployment level, `global`, `webhook`, and `certController` to expose settings for overrides.
Tests `deploy/charts/external-secrets/tests/controller_test.yaml`, `deploy/charts/external-secrets/tests/webhook_test.yaml`, `deploy/charts/external-secrets/tests/cert_controller_test.yaml`	Added test cases covering default absence, component-level configuration, global fallback, and precedence when both component and global `hostAliases` are present.

Possibly related issues

Add hostAliases support to Helm chart #5865 — Implements hostAliases support across controller, webhook, and cert-controller with component overrides and global fallback, matching the issue request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

janlauber · 2026-02-04T13:48:04Z

Any news here? Or am I missing something?

Skarlso · 2026-02-05T07:24:33Z

Sorry, I was away for a while. :) I'll try and get to this on Friday.

Skarlso

Actually, this looks okay to me. Well done.

Skarlso · 2026-02-05T07:26:28Z

/ok-to-test sha=42e626de2cacf90c47e759dbcbf3e451a7af60e2

sonarqubecloud · 2026-02-05T07:26:44Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

eso-service-account-app · 2026-02-05T07:42:46Z

[Bot] - ✅ e2e for 42e626de2cacf90c47e759dbcbf3e451a7af60e2 passed

janlauber · 2026-02-05T08:23:16Z

@Skarlso no worries! Thanks for merging

…2 (#3782) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | major | `v1.3.2` → `v2.0.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.0.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.0.0) [Compare Source](external-secrets/external-secrets@v1.3.2...v2.0.0) ### BREAKING CHANGE Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42. Image: `ghcr.io/external-secrets/external-secrets:v2.0.0` Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringssl`  #### What's Changed ##### General - chore: bump charts to 1.3.2 by [@gusfcarvalho](https://github.com/gusfcarvalho) in [#5923](external-secrets/external-secrets#5923) - feat(charts): add hostAliases support by [@janlauber](https://github.com/janlauber) in [#5866](external-secrets/external-secrets#5866) - chore: remove unmaintained secret stores by [@Skarlso](https://github.com/Skarlso) in [#5918](external-secrets/external-secrets#5918) - docs(infisical): document al provider auth methods by [@varonix0](https://github.com/varonix0) in [#5929](external-secrets/external-secrets#5929) - chore: Get validating webhook failurePolicy for Secretstore dynamically by [@LochanRn](https://github.com/LochanRn) in [#5605](external-secrets/external-secrets#5605) #### New Contributors - [@LochanRn](https://github.com/LochanRn) made their first contribution in [#5605](external-secrets/external-secrets#5605) **Full Changelog**: <external-secrets/external-secrets@v1.3.2...v2.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3782 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | major | `1.3.2` → `2.0.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.0.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.0.0) [Compare Source](external-secrets/external-secrets@v1.3.2...v2.0.0) ### BREAKING CHANGE Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42. Image: `ghcr.io/external-secrets/external-secrets:v2.0.0` Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringssl`  #### What's Changed ##### General - chore: bump charts to 1.3.2 by [@gusfcarvalho](https://github.com/gusfcarvalho) in [#5923](external-secrets/external-secrets#5923) - feat(charts): add hostAliases support by [@janlauber](https://github.com/janlauber) in [#5866](external-secrets/external-secrets#5866) - chore: remove unmaintained secret stores by [@Skarlso](https://github.com/Skarlso) in [#5918](external-secrets/external-secrets#5918) - docs(infisical): document al provider auth methods by [@varonix0](https://github.com/varonix0) in [#5929](external-secrets/external-secrets#5929) - chore: Get validating webhook failurePolicy for Secretstore dynamically by [@LochanRn](https://github.com/LochanRn) in [#5605](external-secrets/external-secrets#5605) #### New Contributors - [@LochanRn](https://github.com/LochanRn) made their first contribution in [#5605](external-secrets/external-secrets#5605) **Full Changelog**: <external-secrets/external-secrets@v1.3.2...v2.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3788 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

Signed-off-by: Jan Lauber <jan.lauber@protonmail.ch> Co-authored-by: Gergely Bräutigam <skarlso777@gmail.com> Signed-off-by: Nattapong Ekudomsuk <nuttapong_mos@hotmail.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | major | `1.3.2` → `2.0.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.0.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.0.0) [Compare Source](external-secrets/external-secrets@v1.3.2...v2.0.0) ### BREAKING CHANGE Please note that this release removed two of the unsupported and unmaintained providers Alibaba and Device42. Image: `ghcr.io/external-secrets/external-secrets:v2.0.0` Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.0.0-ubi-boringssl`  #### What's Changed ##### General - chore: bump charts to 1.3.2 by [@gusfcarvalho](https://github.com/gusfcarvalho) in [#5923](external-secrets/external-secrets#5923) - feat(charts): add hostAliases support by [@janlauber](https://github.com/janlauber) in [#5866](external-secrets/external-secrets#5866) - chore: remove unmaintained secret stores by [@Skarlso](https://github.com/Skarlso) in [#5918](external-secrets/external-secrets#5918) - docs(infisical): document al provider auth methods by [@varonix0](https://github.com/varonix0) in [#5929](external-secrets/external-secrets#5929) - chore: Get validating webhook failurePolicy for Secretstore dynamically by [@LochanRn](https://github.com/LochanRn) in [#5605](external-secrets/external-secrets#5605) #### New Contributors - [@LochanRn](https://github.com/LochanRn) made their first contribution in [#5605](external-secrets/external-secrets#5605) **Full Changelog**: <external-secrets/external-secrets@v1.3.2...v2.0.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/283

Signed-off-by: Jan Lauber <jan.lauber@protonmail.ch> Co-authored-by: Gergely Bräutigam <skarlso777@gmail.com>

feat(charts): add hostAliases support

734b3c1

Signed-off-by: Jan Lauber <jan.lauber@protonmail.ch>

github-project-automation bot added this to External Secrets Jan 25, 2026

github-actions bot added area/charts Issues / Pull Requests related to our helm charts kind/feature Categorizes issue or PR as related to a new feature. size/m labels Jan 25, 2026

Skarlso reviewed Feb 5, 2026

View reviewed changes

Skarlso approved these changes Feb 5, 2026

View reviewed changes

Merge branch 'main' into feat/charts-add-hostaliases-support

42e626d

Skarlso merged commit 33b597c into external-secrets:main Feb 5, 2026
33 checks passed

github-project-automation bot moved this to Done in External Secrets Feb 5, 2026

janlauber deleted the feat/charts-add-hostaliases-support branch February 5, 2026 08:23

coderabbitai bot mentioned this pull request Feb 11, 2026

feat(charts): add new flag enable leader for cert-manager #5863

Merged

5 tasks

dsp0x4 pushed a commit to dsp0x4/external-secrets that referenced this pull request Mar 22, 2026

feat(charts): add hostAliases support (external-secrets#5866)

c0b2767

Signed-off-by: Jan Lauber <jan.lauber@protonmail.ch> Co-authored-by: Gergely Bräutigam <skarlso777@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(charts): add hostAliases support#5866

feat(charts): add hostAliases support#5866
Skarlso merged 2 commits intoexternal-secrets:mainfrom
janlauber:feat/charts-add-hostaliases-support

janlauber commented Jan 25, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Jan 25, 2026 •

edited

Loading

Uh oh!

janlauber commented Feb 4, 2026 •

edited

Loading

Uh oh!

Skarlso commented Feb 5, 2026

Uh oh!

Skarlso left a comment

Uh oh!

Skarlso commented Feb 5, 2026

Uh oh!

sonarqubecloud bot commented Feb 5, 2026

Uh oh!

eso-service-account-app bot commented Feb 5, 2026

Uh oh!

Uh oh!

janlauber commented Feb 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

janlauber commented Jan 25, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem Statement

Related Issue

Proposed Changes

Format

Checklist

Summary

Changes

Uh oh!

coderabbitai bot commented Jan 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Possibly related issues

Uh oh!

janlauber commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Skarlso commented Feb 5, 2026

Uh oh!

Skarlso left a comment

Choose a reason for hiding this comment

Uh oh!

Skarlso commented Feb 5, 2026

Uh oh!

sonarqubecloud bot commented Feb 5, 2026

Quality Gate passed

Uh oh!

eso-service-account-app bot commented Feb 5, 2026

Uh oh!

Uh oh!

janlauber commented Feb 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

janlauber commented Jan 25, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jan 25, 2026 •

edited

Loading

janlauber commented Feb 4, 2026 •

edited

Loading