feat(templating): Add certSANs function to extract SANs from certificates by mzdeb · Pull Request #6058 · external-secrets/external-secrets

mzdeb · 2026-03-10T12:58:14Z

Problem Statement

Sometimes users need to inspect or reuse the domains/IPs that a certificate covers directly within ExternalSecret templates, e.g. to build comma-separated SAN lists or extract the primary domain.

Related Issue

Fixes #6057

Proposed Changes

Add a new certSANs template function that extracts Subject Alternative Names (SANs) from PEM-encoded certificates. The function returns a list of all SANs including DNS names, IP addresses, email addresses, and URIs.

The function integrates into the existing template pipeline and can be combined with filterPEM and filterCertChain for full certificate chain processing.

Checklist

I have read the contribution guidelines
All commits are signed with git commit --signoff
My changes have reasonable test coverage
All tests pass with make test
I ensured my PR is ready for review with make reviewable

Overview

Adds a new certSANs template function to ExternalSecrets to extract Subject Alternative Names (DNS names, IPs, email addresses, and URIs) from PEM-encoded certificates within templates. Fixes #6057.

Changes

Core:
- Adds private certSANs(input string) in runtime/template/v2/pem.go to decode PEM and return all SAN entries as []string.
- Exposes certSANs in the template FuncMap (runtime/template/v2/template.go).
Docs & Examples:
- Documents certSANs in docs/guides/templating.md and adds a usage snippet docs/snippets/certsans-template-v2-external-secret.yaml showing composition with filterPEM, filterCertChain, join, index, and toJson.
Tests:
- Adds tests in runtime/template/v2/pem_test.go and runtime/template/v2/template_test.go covering SAN extraction, pipeline composition, and error cases.
- Adds test certificate runtime/template/v2/_testdata/sans.crt.
- Note: raw summary indicates a duplicated TestCertSANs block in pem_test.go that should be deduplicated.

Other

Commits are signed and tests pass locally (make test) per author.

coderabbitai · 2026-03-10T12:58:43Z

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

@coderabbitai resume to resume automatic reviews.
@coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

▶️ Resume reviews
🔍 Trigger review

Walkthrough

Adds a certSANs template function to extract Subject Alternative Names (DNS, IP, email, URI) from PEM certificates; includes implementation, template exposure, tests, documentation, and an example ExternalSecret snippet.

Changes

Cohort / File(s)	Summary
Core implementation `runtime/template/v2/pem.go`	Adds private `certSANs` to decode PEM and collect DNSNames, IPAddresses, EmailAddresses, and URIs; adds `fmt` import for error messages.
Template integration `runtime/template/v2/template.go`	Registers `certSANs` in the template function map (`tplFuncs`) to expose it to templates.
Tests & fixtures `runtime/template/v2/pem_test.go`, `runtime/template/v2/template_test.go`, `runtime/template/v2/_testdata/sans.crt`	Adds unit tests and a PEM fixture validating multiple certSANs scenarios (valid SANs, invalid/empty input, junk before PEM, file-based certificate). Note: `pem_test.go` contains a duplicated `TestCertSANs` block that should be deduplicated.
Documentation & examples `docs/guides/templating.md`, `docs/snippets/certsans-template-v2-external-secret.yaml`	Adds docs describing `certSANs`, usage guidance combining with `filterPEM`/`filterCertChain`, helper table entry, and an ExternalSecret v2 example template producing SANs outputs.
CI workflow `.github/workflows/zizmor.yml`	No functional change; only newline/EOF formatting difference in a comment.

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	One duplicate TestCertSANs test block exists in pem_test.go. The `.github/workflows/zizmor.yml` change is a whitespace-only formatting change unrelated to feature requirements.	Remove the duplicate TestCertSANs test block from pem_test.go. Consider reverting the whitespace change to zizmor.yml or clarify its necessity in relation to feature objectives.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR implements all requirements from issue `#6057`: certSANs function parses PEM certificates, extracts DNS/IP/email/URI SANs, returns []string, and composes with existing template helpers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable the changed files summary in the walkthrough.

Disable the reviews.changed_files_summary setting to disable the changed files summary in the walkthrough.

coderabbitai

Actionable comments posted: 2

🧹 Nitpick comments (1)

runtime/template/v2/pem_test.go (1)
378-431: Add one mixed-SAN fixture to cover the full certSANs contract.

These cases only assert DNS SANs, so regressions in IP, email, URI extraction—or their ordering—would still pass. A single certificate fixture containing all SAN types would make the new helper's behavior much harder to regress.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@runtime/template/v2/pem_test.go` around lines 378 - 431, Add a new
certificate fixture that includes a mix of SAN types (DNS, IP, email, URI) and a
test case in TestCertSANs that reads that fixture and asserts certSANs returns
the expected DNS SANs only; update the test suite by (1) adding a file like
_testdata/mixed.crt containing a cert with multiple DNS entries plus
IP/email/URI SANs, and (2) adding a test entry in TestCertSANs that calls
certSANs with the mixed fixture (use os.ReadFile as in the foo.crt case) and
checks the returned []string contains the DNS names in the expected order.
Ensure references: TestCertSANs and certSANs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/snippets/certsans-template-v2-external-secret.yaml`:
- Around line 12-16: The YAML template lines using expressions like filterPEM,
filterCertChain, certSANs, join, index and toJson must be wrapped as
single-quoted YAML scalars so the inner double-quoted string literals
("CERTIFICATE", "leaf", ",") don’t break the outer quotes; update the three
lines that set sans, primary-domain, and sans-json to use single quotes around
the entire template expression (e.g., quote the whole {{ ... }} expression)
while leaving the internal operators and arguments unchanged.

In `@runtime/template/v2/pem.go`:
- Around line 135-142: The SANs slice is created with length equal to the total
entries which inserts empty strings before appends; change the allocation to
preallocate capacity only by using make([]string, 0, total) for sans, where
total =
len(cert.DNSNames)+len(cert.IPAddresses)+len(cert.EmailAddresses)+len(cert.URIs),
then keep the existing append logic that adds cert.DNSNames, ip.String(),
cert.EmailAddresses, and uri.String() so no leading empty entries are produced.

---

Nitpick comments:
In `@runtime/template/v2/pem_test.go`:
- Around line 378-431: Add a new certificate fixture that includes a mix of SAN
types (DNS, IP, email, URI) and a test case in TestCertSANs that reads that
fixture and asserts certSANs returns the expected DNS SANs only; update the test
suite by (1) adding a file like _testdata/mixed.crt containing a cert with
multiple DNS entries plus IP/email/URI SANs, and (2) adding a test entry in
TestCertSANs that calls certSANs with the mixed fixture (use os.ReadFile as in
the foo.crt case) and checks the returned []string contains the DNS names in the
expected order. Ensure references: TestCertSANs and certSANs.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8637cc77-e1b2-4128-937c-18b47f5b6b0d

📥 Commits

Reviewing files that changed from the base of the PR and between 81078c9 and 7d20784.

📒 Files selected for processing (7)

.github/workflows/zizmor.yml
docs/guides/templating.md
docs/snippets/certsans-template-v2-external-secret.yaml
runtime/template/v2/pem.go
runtime/template/v2/pem_test.go
runtime/template/v2/template.go
runtime/template/v2/template_test.go

docs/snippets/certsans-template-v2-external-secret.yaml

runtime/template/v2/pem.go

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (2)

runtime/template/v2/pem_test.go (2)

378-410: Consider adding test cases for IP, email, and URI SANs.

The PR objective states that certSANs should return "DNS names, IP addresses, email addresses, and URIs," but the tests only verify DNS name extraction. Adding test cases with certificates containing other SAN types would validate the full implementation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/template/v2/pem_test.go` around lines 378 - 410, Tests under
TestCertSANs only verify DNS SAN extraction; add additional cases that feed PEMs
containing IP, email, and URI SAN entries to validate certSANs handles all SAN
types. Extend the tests array in TestCertSANs with fixtures (or inline PEM
strings/read from _testdata) for: an IP SAN certificate expecting the IP string
in want, an email SAN certificate expecting the email, and a URI SAN certificate
expecting the URI; also include mixed-SAN certificate to assert multiple types
are returned together and preserve existing invalid/empty cases.

418-428: Slice comparison is adequate but could be simplified.

The manual element-by-element comparison works correctly. For future maintainability, consider using reflect.DeepEqual or slices.Equal (Go 1.21+) for slice comparisons.

♻️ Optional simplification using slices.Equal

+import "slices"
+
 // In test assertion:
-			if !tt.wantErr {
-				if len(got) != len(tt.want) {
-					t.Errorf("certSANs() = %v, want %v", got, tt.want)
-					return
-				}
-				for i := range got {
-					if got[i] != tt.want[i] {
-						t.Errorf("certSANs()[%d] = %v, want %v", i, got[i], tt.want[i])
-					}
-				}
-			}
+			if !tt.wantErr && !slices.Equal(got, tt.want) {
+				t.Errorf("certSANs() = %v, want %v", got, tt.want)
+			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@runtime/template/v2/pem_test.go` around lines 418 - 428, The test manually
compares slices returned by certSANs() element-by-element; replace that block
with a single slice equality check (e.g., reflect.DeepEqual(got, tt.want) or
slices.Equal(got, tt.want) on Go 1.21+) and call t.Errorf with both slices when
they differ to simplify and improve readability; update the conditional that
uses got and tt.want so length and element checks are replaced by one equality
check and a single error message referencing certSANs(), got and tt.want.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@runtime/template/v2/pem_test.go`:
- Around line 405-409: The test case "cert from file (foo.crt)" currently
ignores the os.ReadFile error in the inline input func, which can hide file-read
failures; fix by explicitly handling the error: either move the file read out of
the inline initializer into the test loop (e.g., in TestX's range over cases)
and call t.Fatalf or t.Fatalff on read error, or replace the inline func with a
helper that returns the file contents or panics with the read error so failures
surface immediately; target the specific test case name and the inline func that
calls os.ReadFile("_testdata/foo.crt") when making the change.

---

Nitpick comments:
In `@runtime/template/v2/pem_test.go`:
- Around line 378-410: Tests under TestCertSANs only verify DNS SAN extraction;
add additional cases that feed PEMs containing IP, email, and URI SAN entries to
validate certSANs handles all SAN types. Extend the tests array in TestCertSANs
with fixtures (or inline PEM strings/read from _testdata) for: an IP SAN
certificate expecting the IP string in want, an email SAN certificate expecting
the email, and a URI SAN certificate expecting the URI; also include mixed-SAN
certificate to assert multiple types are returned together and preserve existing
invalid/empty cases.
- Around line 418-428: The test manually compares slices returned by certSANs()
element-by-element; replace that block with a single slice equality check (e.g.,
reflect.DeepEqual(got, tt.want) or slices.Equal(got, tt.want) on Go 1.21+) and
call t.Errorf with both slices when they differ to simplify and improve
readability; update the conditional that uses got and tt.want so length and
element checks are replaced by one equality check and a single error message
referencing certSANs(), got and tt.want.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 05529b2e-dcd7-4157-a974-271b8973caae

📥 Commits

Reviewing files that changed from the base of the PR and between 7d20784 and 953d72e.

📒 Files selected for processing (7)

.github/workflows/zizmor.yml
docs/guides/templating.md
docs/snippets/certsans-template-v2-external-secret.yaml
runtime/template/v2/pem.go
runtime/template/v2/pem_test.go
runtime/template/v2/template.go
runtime/template/v2/template_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

runtime/template/v2/pem.go
docs/snippets/certsans-template-v2-external-secret.yaml
runtime/template/v2/template_test.go
.github/workflows/zizmor.yml

runtime/template/v2/pem_test.go

coderabbitai

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@runtime/template/v2/pem_test.go`:
- Line 406: The test case's name field is inconsistent with the file being read:
update the test case name (the "name" field in the table entry) to match the
actual file `_testdata/sans.crt` (for example change "cert from file (foo.crt)"
to "cert from file (sans.crt)"), or alternatively change the referenced file to
match the name; ensure the "name" string and the file path used in the test are
consistent so maintainers won't be confused.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6d21c00-8a50-4ff3-9d6c-84d139ceaa7b

📥 Commits

Reviewing files that changed from the base of the PR and between 953d72e and 0ecf672.

📒 Files selected for processing (9)

.github/workflows/zizmor.yml
docs/guides/templating.md
docs/snippets/certsans-template-v2-external-secret.yaml
runtime/template/v2/_testdata/sans.crt
runtime/template/v2/_testdata/sans.key
runtime/template/v2/pem.go
runtime/template/v2/pem_test.go
runtime/template/v2/template.go
runtime/template/v2/template_test.go

✅ Files skipped from review due to trivial changes (1)

.github/workflows/zizmor.yml

🚧 Files skipped from review as they are similar to previous changes (2)

runtime/template/v2/template.go
runtime/template/v2/template_test.go

runtime/template/v2/pem_test.go

…ates Add a new `certSANs` template function that extracts Subject Alternative Names (SANs) from PEM-encoded certificates. The function returns a list of all SANs including DNS names, IP addresses, email addresses, and URIs. This is useful when users need to inspect or reuse the domains/IPs that a certificate covers directly within ExternalSecret templates, e.g. to build comma-separated SAN lists or extract the primary domain. The function integrates into the existing template pipeline and can be combined with `filterPEM` and `filterCertChain` for full certificate chain processing. Closes external-secrets#6057 Signed-off-by: Maciej Zdeb <maciej.zdeb@allegro.pl>

sonarqubecloud · 2026-03-17T08:03:45Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

…ates (external-secrets#6058) Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com> Signed-off-by: AlexOQ <30403857+AlexOQ@users.noreply.github.com>

…2.2.0 (#4923) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets/external-secrets](https://github.com/external-secrets/external-secrets) | minor | `v2.1.0` → `v2.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets/external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`  #### What's Changed ##### General - chore: release charts v2.1.0 by [@Skarlso](https://github.com/Skarlso) in [#6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@Skarlso](https://github.com/Skarlso) in [#6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@othomann](https://github.com/othomann) in [#6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@evs-secops](https://github.com/evs-secops) in [#6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@Skarlso](https://github.com/Skarlso) in [#6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@patjlm](https://github.com/patjlm) in [#5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@evrardj-roche](https://github.com/evrardj-roche) in [#5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@evrardj-roche](https://github.com/evrardj-roche) in [#6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@jaruwat-panturat](https://github.com/jaruwat-panturat) in [#6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@chadxz](https://github.com/chadxz) in [#6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@mateenali66](https://github.com/mateenali66) in [#6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@mateenali66](https://github.com/mateenali66) in [#6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@johnvox](https://github.com/johnvox) in [#6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@Skarlso](https://github.com/Skarlso) in [#6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@Skarlso](https://github.com/Skarlso) in [#6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@Br1an67](https://github.com/Br1an67) in [#6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@Br1an67](https://github.com/Br1an67) in [#6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@mzdeb](https://github.com/mzdeb) in [#6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@lucpas](https://github.com/lucpas) in [#6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@Skarlso](https://github.com/Skarlso) in [#6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@AlexOQ](https://github.com/AlexOQ) in [#5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@Skarlso](https://github.com/Skarlso) in [#6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@muraliavarma](https://github.com/muraliavarma) in [#5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@heavyandrew](https://github.com/heavyandrew) in [#5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@riccardomc](https://github.com/riccardomc) in [#6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@dependabot](https://github.com/dependabot)\[bot] in [#6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@dependabot](https://github.com/dependabot)\[bot] in [#6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6091](external-secrets/external-secrets#6091) #### New Contributors - [@othomann](https://github.com/othomann) made their first contribution in [#6052](external-secrets/external-secrets#6052) - [@evs-secops](https://github.com/evs-secops) made their first contribution in [#6025](external-secrets/external-secrets#6025) - [@patjlm](https://github.com/patjlm) made their first contribution in [#5922](external-secrets/external-secrets#5922) - [@jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#6068](external-secrets/external-secrets#6068) - [@chadxz](https://github.com/chadxz) made their first contribution in [#6073](external-secrets/external-secrets#6073) - [@mateenali66](https://github.com/mateenali66) made their first contribution in [#6074](external-secrets/external-secrets#6074) - [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#5919](external-secrets/external-secrets#5919) - [@johnvox](https://github.com/johnvox) made their first contribution in [#6086](external-secrets/external-secrets#6086) - [@Br1an67](https://github.com/Br1an67) made their first contribution in [#6056](external-secrets/external-secrets#6056) - [@mzdeb](https://github.com/mzdeb) made their first contribution in [#6058](external-secrets/external-secrets#6058) - [@lucpas](https://github.com/lucpas) made their first contribution in [#6102](external-secrets/external-secrets#6102) - [@AlexOQ](https://github.com/AlexOQ) made their first contribution in [#5831](external-secrets/external-secrets#5831) - [@muraliavarma](https://github.com/muraliavarma) made their first contribution in [#5935](external-secrets/external-secrets#5935) - [@heavyandrew](https://github.com/heavyandrew) made their first contribution in [#5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4923 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `2.1.0` → `2.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/2) for more information. --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v2.2.0`](https://github.com/external-secrets/external-secrets/releases/tag/v2.2.0) [Compare Source](external-secrets/external-secrets@v2.1.0...v2.2.0) Image: `ghcr.io/external-secrets/external-secrets:v2.2.0` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v2.2.0-ubi-boringssl`  ##### What's Changed ##### General - chore: release charts v2.1.0 by [@Skarlso](https://github.com/Skarlso) in [#6030](external-secrets/external-secrets#6030) - chore: fix the stability doc by [@Skarlso](https://github.com/Skarlso) in [#6035](external-secrets/external-secrets#6035) - fix(security): Fix vulnerabilities by [@othomann](https://github.com/othomann) in [#6052](external-secrets/external-secrets#6052) - fix(aws): sync tags and resource policy even when secret value unchanged by [@evs-secops](https://github.com/evs-secops) in [#6025](external-secrets/external-secrets#6025) - fix: publish now uses docker build v4 which required some changes by [@Skarlso](https://github.com/Skarlso) in [#6062](external-secrets/external-secrets#6062) - feat(gcpsm): auto-detect projectID from GCP metadata server by [@patjlm](https://github.com/patjlm) in [#5922](external-secrets/external-secrets#5922) - chore(templating): Remove years in license and their checks by [@evrardj-roche](https://github.com/evrardj-roche) in [#5955](external-secrets/external-secrets#5955) - docs: Add Roche to official ADOPTERS by [@evrardj-roche](https://github.com/evrardj-roche) in [#6076](external-secrets/external-secrets#6076) - feat: Add Last Sync column to ExternalSecret and PushSecret printers by [@jaruwat-panturat](https://github.com/jaruwat-panturat) in [#6068](external-secrets/external-secrets#6068) - fix(onepassword): support native item IDs by [@chadxz](https://github.com/chadxz) in [#6073](external-secrets/external-secrets#6073) - feat: extract LGTM processor to external JS file with tests by [@mateenali66](https://github.com/mateenali66) in [#6074](external-secrets/external-secrets#6074) - feat: fail fast if LGTM label does not exist in repository by [@mateenali66](https://github.com/mateenali66) in [#6078](external-secrets/external-secrets#6078) - feat(passbolt): add support for Passbolt V5 API by [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) in [#5919](external-secrets/external-secrets#5919) - fix(infisical): dataFrom.find.path should filter by secret path not name by [@johnvox](https://github.com/johnvox) in [#6086](external-secrets/external-secrets#6086) - fix: disable the priority queue which misbehaves at scale by [@Skarlso](https://github.com/Skarlso) in [#6083](external-secrets/external-secrets#6083) - chore: update go version to 1.26.1 by [@Skarlso](https://github.com/Skarlso) in [#6072](external-secrets/external-secrets#6072) - docs(aws): fix PushSecret metadata indentation in resource policy exa... by [@Br1an67](https://github.com/Br1an67) in [#6056](external-secrets/external-secrets#6056) - fix(aws): prevent EC2 IMDS fallback when explicit credentials are pro... by [@Br1an67](https://github.com/Br1an67) in [#6036](external-secrets/external-secrets#6036) - feat(templating): Add certSANs function to extract SANs from certificates by [@mzdeb](https://github.com/mzdeb) in [#6058](external-secrets/external-secrets#6058) - docs: document template.metadata labels/annotations behavior by [@lucpas](https://github.com/lucpas) in [#6102](external-secrets/external-secrets#6102) - fix: CODEOWNERS are seriously out of date by [@Skarlso](https://github.com/Skarlso) in [#6106](external-secrets/external-secrets#6106) - feat(helm): add readinessProbe support for external-secrets deployment by [@AlexOQ](https://github.com/AlexOQ) in [#5831](external-secrets/external-secrets#5831) - fix: update grpc for CVE-2026-33186 by [@Skarlso](https://github.com/Skarlso) in [#6108](external-secrets/external-secrets#6108) - feat(azurekv): add expiration time to azure kv secret by [@muraliavarma](https://github.com/muraliavarma) in [#5935](external-secrets/external-secrets#5935) - feat: add path to cloud.ru provider by [@heavyandrew](https://github.com/heavyandrew) in [#5952](external-secrets/external-secrets#5952) - fix(add-eso-version): fix separator line pattern in add\_eso\_version.sh script by [@riccardomc](https://github.com/riccardomc) in [#6113](external-secrets/external-secrets#6113) ##### Dependencies - chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#6038](external-secrets/external-secrets#6038) - chore(deps): bump charset-normalizer from 3.4.4 to 3.4.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6047](external-secrets/external-secrets#6047) - chore(deps): bump platformdirs from 4.9.2 to 4.9.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6050](external-secrets/external-secrets#6050) - chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6049](external-secrets/external-secrets#6049) - chore(deps): bump github/codeql-action from 4.32.4 to 4.32.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#6039](external-secrets/external-secrets#6039) - chore(deps): bump step-security/harden-runner from 2.15.0 to 2.15.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6043](external-secrets/external-secrets#6043) - chore(deps): bump actions/dependency-review-action from 4.8.3 to 4.9.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6040](external-secrets/external-secrets#6040) - chore(deps): bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6044](external-secrets/external-secrets#6044) - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6042](external-secrets/external-secrets#6042) - chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6041](external-secrets/external-secrets#6041) - chore(deps): bump docker/setup-qemu-action from 3.7.0 to 4.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6046](external-secrets/external-secrets#6046) - chore(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6048](external-secrets/external-secrets#6048) - chore(deps): bump anchore/sbom-action from 0.23.0 to 0.23.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6093](external-secrets/external-secrets#6093) - chore(deps): bump distroless/static from `28efbe9` to `47b2d72` by [@dependabot](https://github.com/dependabot)\[bot] in [#6088](external-secrets/external-secrets#6088) - chore(deps): bump ubi9/ubi from `cecb1cd` to `6ed9f6f` by [@dependabot](https://github.com/dependabot)\[bot] in [#6087](external-secrets/external-secrets#6087) - chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6096](external-secrets/external-secrets#6096) - chore(deps): bump tornado from 6.5.4 to 6.5.5 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6094](external-secrets/external-secrets#6094) - chore(deps): bump charset-normalizer from 3.4.5 to 3.4.6 in /hack/api-docs by [@dependabot](https://github.com/dependabot)\[bot] in [#6095](external-secrets/external-secrets#6095) - chore(deps): bump step-security/harden-runner from 2.15.1 to 2.16.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6089](external-secrets/external-secrets#6089) - chore(deps): bump sigstore/cosign-installer from 4.0.0 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6092](external-secrets/external-secrets#6092) - chore(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#6090](external-secrets/external-secrets#6090) - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#6091](external-secrets/external-secrets#6091) ##### New Contributors - [@othomann](https://github.com/othomann) made their first contribution in [#6052](external-secrets/external-secrets#6052) - [@evs-secops](https://github.com/evs-secops) made their first contribution in [#6025](external-secrets/external-secrets#6025) - [@patjlm](https://github.com/patjlm) made their first contribution in [#5922](external-secrets/external-secrets#5922) - [@jaruwat-panturat](https://github.com/jaruwat-panturat) made their first contribution in [#6068](external-secrets/external-secrets#6068) - [@chadxz](https://github.com/chadxz) made their first contribution in [#6073](external-secrets/external-secrets#6073) - [@mateenali66](https://github.com/mateenali66) made their first contribution in [#6074](external-secrets/external-secrets#6074) - [@cedricherzog-passbolt](https://github.com/cedricherzog-passbolt) made their first contribution in [#5919](external-secrets/external-secrets#5919) - [@johnvox](https://github.com/johnvox) made their first contribution in [#6086](external-secrets/external-secrets#6086) - [@Br1an67](https://github.com/Br1an67) made their first contribution in [#6056](external-secrets/external-secrets#6056) - [@mzdeb](https://github.com/mzdeb) made their first contribution in [#6058](external-secrets/external-secrets#6058) - [@lucpas](https://github.com/lucpas) made their first contribution in [#6102](external-secrets/external-secrets#6102) - [@AlexOQ](https://github.com/AlexOQ) made their first contribution in [#5831](external-secrets/external-secrets#5831) - [@muraliavarma](https://github.com/muraliavarma) made their first contribution in [#5935](external-secrets/external-secrets#5935) - [@heavyandrew](https://github.com/heavyandrew) made their first contribution in [#5952](external-secrets/external-secrets#5952) **Full Changelog**: <external-secrets/external-secrets@v2.1.0...v2.2.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/4927 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

github-project-automation bot added this to External Secrets Mar 10, 2026

github-actions bot added area/templating Issues / Pull Requests related to templating engines kind/feature Categorizes issue or PR as related to a new feature. kind/documentation Categorizes issue or PR as related to documentation. component/github-actions size/m labels Mar 10, 2026

coderabbitai bot reviewed Mar 10, 2026

View reviewed changes

docs/snippets/certsans-template-v2-external-secret.yaml Outdated Show resolved Hide resolved

runtime/template/v2/pem.go Outdated Show resolved Hide resolved

mzdeb force-pushed the FEAT/certSANs branch from 7d20784 to 953d72e Compare March 10, 2026 13:17

coderabbitai bot reviewed Mar 10, 2026

View reviewed changes

runtime/template/v2/pem_test.go Show resolved Hide resolved

mzdeb force-pushed the FEAT/certSANs branch from 3a063d2 to 0ecf672 Compare March 10, 2026 13:37

coderabbitai bot reviewed Mar 10, 2026

View reviewed changes

runtime/template/v2/pem_test.go Outdated Show resolved Hide resolved

mzdeb force-pushed the FEAT/certSANs branch from 0ecf672 to 15a7a4a Compare March 10, 2026 15:54

Merge branch 'main' into FEAT/certSANs

e34ea85

Skarlso approved these changes Mar 17, 2026

View reviewed changes

Merge branch 'main' into FEAT/certSANs

d63382f

Skarlso merged commit 7d3d062 into external-secrets:main Mar 17, 2026
32 checks passed

github-project-automation bot moved this to Done in External Secrets Mar 17, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(templating): Add certSANs function to extract SANs from certificates#6058

feat(templating): Add certSANs function to extract SANs from certificates#6058
Skarlso merged 3 commits intoexternal-secrets:mainfrom
mzdeb:FEAT/certSANs

mzdeb commented Mar 10, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Mar 10, 2026 •

edited

Loading

Reviews paused

❌ Failed checks (1 warning)

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

sonarqubecloud bot commented Mar 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

mzdeb commented Mar 10, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Problem Statement

Related Issue

Proposed Changes

Checklist

Overview

Changes

Other

Uh oh!

coderabbitai bot commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviews paused

Walkthrough

Changes

❌ Failed checks (1 warning)

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

sonarqubecloud bot commented Mar 17, 2026

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

mzdeb commented Mar 10, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Mar 10, 2026 •

edited

Loading