fix: onepasswordsdk shared tenant by altering the provider in the client cache#5921
Merged
Skarlso merged 1 commit intoexternal-secrets:mainfrom Feb 3, 2026
Merged
Conversation
WalkthroughRefactors Provider initialization to allocate and return a new Provider instance (same client and vaultPrefix) instead of mutating the receiver. The new instance has its cache initialized and vault ID fetched via GetVault, and that new instance is returned. Changes
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…ent cache Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
d973993 to
a614469
Compare
|
5 tasks
IdanAdar
approved these changes
Feb 3, 2026
nutmos
pushed a commit
to nutmos/external-secrets
that referenced
this pull request
Feb 11, 2026
…ent cache (external-secrets#5921) Signed-off-by: Nattapong Ekudomsuk <nuttapong_mos@hotmail.com>
nutmos
pushed a commit
to nutmos/external-secrets
that referenced
this pull request
Feb 18, 2026
…ent cache (external-secrets#5921) Signed-off-by: Nattapong Ekudomsuk <nuttapong_mos@hotmail.com>
radermacher-iits
pushed a commit
to kubara-io/kubara
that referenced
this pull request
Feb 19, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.2.1` → `1.3.2` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.3.2`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.2) [Compare Source](external-secrets/external-secrets@v1.3.1...v1.3.2) Image: `ghcr.io/external-secrets/external-secrets:v1.3.2` Image: `ghcr.io/external-secrets/external-secrets:v1.3.2-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.2-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: release helm chart for v1.3.1 by [@​Skarlso](https://github.com/Skarlso) in [#​5860](external-secrets/external-secrets#5860) - chore(chart): Add missing tests for readinessProbe by [@​jcpunk](https://github.com/jcpunk) in [#​5769](external-secrets/external-secrets#5769) - docs: Update FluxCD example by [@​umizoom](https://github.com/umizoom) in [#​5862](external-secrets/external-secrets#5862) - fix(ci): Removed the unused check for Windows in Makefile by [@​HauptJ](https://github.com/HauptJ) in [#​5870](external-secrets/external-secrets#5870) - docs(release): Add actual dates for EOL of 1.x releases in stability and support page by [@​n4zukker](https://github.com/n4zukker) in [#​5889](external-secrets/external-secrets#5889) - docs: Passbolt provider maintenance ownership by [@​stripthis](https://github.com/stripthis) in [#​5886](external-secrets/external-secrets#5886) - chore: Update Passbolt MaintenanceStatus to MaintenanceStatusMaintained by [@​stripthis](https://github.com/stripthis) in [#​5887](external-secrets/external-secrets#5887) - fix(security): sanitize json.Unmarshal errors to prevent secret data … by [@​moolen](https://github.com/moolen) in [#​5884](external-secrets/external-secrets#5884) - fix: webhook initialization order by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5901](external-secrets/external-secrets#5901) - chore: Cleanup flags by [@​evrardj-roche](https://github.com/evrardj-roche) in [#​5845](external-secrets/external-secrets#5845) - fix: onepasswordsdk shared tenant by altering the provider in the client cache by [@​Skarlso](https://github.com/Skarlso) in [#​5921](external-secrets/external-secrets#5921) ##### Dependencies - chore(deps): bump github/codeql-action from 4.31.10 to 4.31.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5873](external-secrets/external-secrets#5873) - chore(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5877](external-secrets/external-secrets#5877) - chore(deps): bump markdown from 3.10 to 3.10.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5880](external-secrets/external-secrets#5880) - chore(deps): bump ubi9/ubi from `22e9573` to `1f84f5c` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5871](external-secrets/external-secrets#5871) - chore(deps): bump actions/setup-python from 6.1.0 to 6.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5872](external-secrets/external-secrets#5872) - chore(deps): bump hashicorp/setup-terraform from [`93d5a27`](external-secrets/external-secrets@93d5a27) to [`dcc3150`](external-secrets/external-secrets@dcc3150) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5875](external-secrets/external-secrets#5875) - chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5876](external-secrets/external-secrets#5876) - chore(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5878](external-secrets/external-secrets#5878) - chore(deps): bump anchore/sbom-action from 0.21.1 to 0.22.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5874](external-secrets/external-secrets#5874) - chore(deps): bump packaging from 25.0 to 26.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5879](external-secrets/external-secrets#5879) - chore(deps): bump golang from `d9b2e14` to `98e6cff` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5907](external-secrets/external-secrets#5907) - chore(deps): bump alpine from `865b95f` to `2510918` in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5914](external-secrets/external-secrets#5914) - chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5909](external-secrets/external-secrets#5909) - chore(deps): bump actions/cache from 5.0.2 to 5.0.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5912](external-secrets/external-secrets#5912) - chore(deps): bump actions/attest-build-provenance from 3.1.0 to 3.2.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5910](external-secrets/external-secrets#5910) - chore(deps): bump hashicorp/setup-terraform from [`dcc3150`](external-secrets/external-secrets@dcc3150) to [`ce70bcf`](external-secrets/external-secrets@ce70bcf) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5911](external-secrets/external-secrets#5911) - chore(deps): bump ubi9/ubi from `1f84f5c` to `c8df11b` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5908](external-secrets/external-secrets#5908) - chore(deps): bump alpine from 3.23.2 to 3.23.3 in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5915](external-secrets/external-secrets#5915) - chore(deps): bump alpine from `865b95f` to `2510918` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5906](external-secrets/external-secrets#5906) - chore(deps): bump pathspec from 1.0.3 to 1.0.4 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5916](external-secrets/external-secrets#5916) - chore(deps): bump babel from 2.17.0 to 2.18.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5917](external-secrets/external-secrets#5917) - chore(deps): bump github/codeql-action from 4.31.11 to 4.32.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5913](external-secrets/external-secrets#5913) #### New Contributors - [@​umizoom](https://github.com/umizoom) made their first contribution in [#​5862](external-secrets/external-secrets#5862) - [@​HauptJ](https://github.com/HauptJ) made their first contribution in [#​5870](external-secrets/external-secrets#5870) - [@​n4zukker](https://github.com/n4zukker) made their first contribution in [#​5889](external-secrets/external-secrets#5889) - [@​stripthis](https://github.com/stripthis) made their first contribution in [#​5886](external-secrets/external-secrets#5886) **Full Changelog**: <external-secrets/external-secrets@v1.3.1...v1.3.2> ### [`v1.3.1`](https://github.com/external-secrets/external-secrets/releases/tag/v1.3.1) [Compare Source](external-secrets/external-secrets@v1.2.1...v1.3.1) Image: `ghcr.io/external-secrets/external-secrets:v1.3.1` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.3.1-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> For a Full release please referre to <https://github.com/external-secrets/external-secrets/releases/tag/v1.3.0>. This is a fix build for the docker publish flow. #### What's Changed ##### General - fix: ignore the in-toto manifest when promoting the docker build by [@​Skarlso](https://github.com/Skarlso) in [#​5859](external-secrets/external-secrets#5859) **Full Changelog**: <external-secrets/external-secrets@v1.3.0...v1.3.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119--> Reviewed-on: https://kubara.git.onstackit.cloud/STACKIT/kubara/pulls/250
5 tasks
dsp0x4
pushed a commit
to dsp0x4/external-secrets
that referenced
this pull request
Mar 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
What is the problem you're trying to solve?
Related Issue
Fixes #5920.
Proposed Changes
How do you like to solve the issue and why?
Format
Please ensure that your PR follows the following format for the title:
Where
scopeis optionally one of:Checklist
git commit --signoffmake testmake reviewableSummary
This PR fixes an issue where 1Password SDK Provider instances could share vault/tenant state across SecretStore requests, causing secrets from one vault to appear in another namespace.
Root cause
NewClient() mutated the receiver (
p *Provider) (vault ID, prefix, cache), so reused Provider instances could mix vault-specific state.Fix
NewClient() now allocates a new Provider instance populated with a new 1Password client, the request-specific vault prefix/ID, and a dedicated cache when configured, and returns that new instance instead of mutating and returning the receiver.
Changes