Skip to content

feat(aws): secretsmanager to update/patch/delete tags#4984

Merged
Skarlso merged 10 commits intoexternal-secrets:mainfrom
gofogo:feat-1821-sm-update-delete-tags
Jul 31, 2025
Merged

feat(aws): secretsmanager to update/patch/delete tags#4984
Skarlso merged 10 commits intoexternal-secrets:mainfrom
gofogo:feat-1821-sm-update-delete-tags

Conversation

@ivankatliarchuk
Copy link
Copy Markdown
Contributor

@ivankatliarchuk ivankatliarchuk commented Jul 3, 2025
edited
Loading

Problem Statement

What is the problem you're trying to solve?

Screenshot 2025-07-29 at 08 18 40

Related Issue

Fixes #4538

Proposed Changes

Added support for tags lifecycle

Checklist

  • I have read the contribution guidelines
  • All commits are signed with git commit --signoff
  • My changes have reasonable test coverage
  • All tests pass with make test
  • I ensured my PR is ready for review with make reviewable

Manifest

---
apiVersion: v1
kind: Namespace
metadata:
  name: external-secrets
---
# https://external-secrets.io/latest/api/secretstore/
apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: aws-secretstore
  namespace: external-secrets
spec:
  provider:
    aws:
      service: SecretsManager
      region: eu-west-1
      secretsManager:
        forceDeleteWithoutRecovery: true
---
# https://external-secrets.io/latest/api/generator/password/
apiVersion: generators.external-secrets.io/v1alpha1
kind: Password
metadata:
  name: my-password
  namespace: external-secrets
spec:
  length: 12
  digits: 5
  symbols: 5
  symbolCharacters: "-_"
  noUpper: false
  allowRepeat: true
---
# https://external-secrets.io/latest/api/pushsecret/
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
  name: pushsecret-to-aws-example
  namespace: external-secrets
spec:
  deletionPolicy: Delete
  refreshInterval: 1m
  secretStoreRefs:
    - name: aws-secretstore
      kind: SecretStore
  selector:
    generatorRef:
      apiVersion: generators.external-secrets.io/v1alpha1
      kind: Password
      name: my-password
  data:
    - conversionStrategy: None
      match:
        secretKey: password # Source Kubernetes secret key to be pushed
        remoteRef:
          remoteKey: /team/omega/secret/superscret
      metadata:
        apiVersion: kubernetes.external-secrets.io/v1alpha1
        kind: PushSecretMetadata
        spec:
          secretPushFormat: string
          tags:
            secret-store: aws-secretstore
            refresh-interval: 2m
            description: "This is a test parameter pushed from Kubernetes"

Smoke test

  1. Create without custom tags
Screenshot 2025-07-29 at 09 57 46 2. Attach tags Screenshot 2025-07-29 at 09 57 34 3. Delete tags and add new tag Screenshot 2025-07-29 at 09 57 21

update tags

refresh-interval=2m
Screenshot 2025-07-29 at 10 20 51

refresh-interval=10m
Screenshot 2025-07-29 at 10 21 04

@ivankatliarchuk
feat(aws): secretsmanager to update/patch/delete tags
ee3edeb 
Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
@ivankatliarchuk ivankatliarchuk requested a review from a team as a code owner July 3, 2025 11:35
@ivankatliarchuk ivankatliarchuk marked this pull request as draft July 3, 2025 11:35
@ivankatliarchuk
feat(aws): secretsmanager to update/patch/delete tags
900f2ca 
Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
@ivankatliarchuk ivankatliarchuk mentioned this pull request Jul 3, 2025
Merged
5 tasks
ivankatliarchuk and others added 3 commits July 29, 2025 08:14
@ivankatliarchuk
feat(aws): merge with main
3c78895 
Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
@ivankatliarchuk
feat(aws): secretsmanager to update/patch/delete tags
0c9957c 
Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
@ivankatliarchuk
Merge branch 'main' into feat-1821-sm-update-delete-tags
b658bc4
@ivankatliarchuk ivankatliarchuk marked this pull request as ready for review July 29, 2025 09:26
@ivankatliarchuk ivankatliarchuk mentioned this pull request Jul 29, 2025
Closed
@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Jul 30, 2025

@ivankatliarchuk Could you please take a look at the resulting Sonar issue? :) Thanks!

@ivankatliarchuk
Copy link
Copy Markdown
Contributor Author

ivankatliarchuk commented Jul 30, 2025

Yeap. Will do

@ivankatliarchuk ivankatliarchuk force-pushed the feat-1821-sm-update-delete-tags branch from e80262c to 783d3e5 Compare July 31, 2025 08:55
@ivankatliarchuk
Copy link
Copy Markdown
Contributor Author

ivankatliarchuk commented Jul 31, 2025

I've made the updates. I can't find a button to enable reviewers to merge with main, so it's likely a setting from the PR's initial setup.

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Jul 31, 2025

/ok-to-test sha=101d897853a49cf625bbe68a015f5cce719f637c

@eso-service-account-app
Copy link
Copy Markdown
Contributor

eso-service-account-app bot commented Jul 31, 2025

[Bot] - ❌ e2e for 101d897853a49cf625bbe68a015f5cce719f637c failed

@Skarlso
Copy link
Copy Markdown
Contributor

Skarlso commented Jul 31, 2025

Ugh, I will look at the e2e failure. I think it's unrelated this your changes.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Jul 31, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Skarlso Skarlso merged commit 014fb64 into external-secrets:main Jul 31, 2025
3 checks passed
@ivankatliarchuk ivankatliarchuk deleted the feat-1821-sm-update-delete-tags branch July 31, 2025 14:58
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Aug 3, 2025
@alexlebens
Update Helm release external-secrets to v0.19.0 (#1114)
f1cc343 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `0.18.2` -> `0.19.0` |

---

### Release Notes

<details>
<summary>external-secrets/external-secrets (external-secrets)</summary>

### [`v0.19.0`](https://github.com/external-secrets/external-secrets/releases/tag/v0.19.0)

[Compare Source](external-secrets/external-secrets@v0.18.2...v0.19.0)

#### **BREAKING CHANGE**

🔴 🔴  BREAKING CHANGE 🔴 🔴

Please note that this a breaking change because our CRDs are now too big. Meaning a simple kubectl apply or Argo's default client side apply WILL NOT WORK! You have to add `--server-side` to kubectl apply and in argo add:

```yaml
spec:
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true
```

for it to correctly install the CRDs. Thank you.

Image: `ghcr.io/external-secrets/external-secrets:v0.19.0`
Image: `ghcr.io/external-secrets/external-secrets:v0.19.0-ubi`
Image: `ghcr.io/external-secrets/external-secrets:v0.19.0-ubi-boringssl`

#### What's Changed

- chore: release helm chart for v0.18.2 by [@&#8203;Skarlso](https://github.com/Skarlso) in external-secrets/external-secrets#4985
- chore(deps): bump golang from `ee7ff13` to `10f549d` in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#4997
- chore(deps): bump golang from `68932fa` to `68932fa` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5000
- chore(deps): bump mkdocs-material from 9.6.14 to 9.6.15 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#4998
- chore(deps): bump anchore/sbom-action from 0.20.1 to 0.20.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5001
- chore(deps): bump github/codeql-action from 3.29.1 to 3.29.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5003
- chore(deps): bump aquasecurity/trivy-action from 0.31.0 to 0.32.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5002
- fix: do not turn original value into string on value scope by [@&#8203;Skarlso](https://github.com/Skarlso) in external-secrets/external-secrets#5011
- fix: add uuid in edit and view clusterroles by [@&#8203;sylvainOL](https://github.com/sylvainOL) in external-secrets/external-secrets#5017
- chore: update dependencies by [@&#8203;eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in external-secrets/external-secrets#4999
- fix: template data should not be the secret Data itself by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in external-secrets/external-secrets#5023
- Fix: Return appropriate error in ValidateStore by [@&#8203;prakash-218](https://github.com/prakash-218) in external-secrets/external-secrets#5019
- feat(helm): allow to set init containers by [@&#8203;rclsilver](https://github.com/rclsilver) in external-secrets/external-secrets#4745
- chore(deps): bump certifi from 2025.6.15 to 2025.7.14 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5032
- Fix: Remove root/buildinfo from ubi build files by [@&#8203;bainsy88](https://github.com/bainsy88) in external-secrets/external-secrets#5037
- chore(deps): bump ubi8/ubi from `19eae3d` to `c0b0729` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5033
- chore(deps): bump golang from 1.24.4-bookworm to 1.24.5-bookworm in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5029
- chore(deps): bump golang from 1.24.4 to 1.24.5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5034
- chore: update dependencies by [@&#8203;eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in external-secrets/external-secrets#5031
- Add Red Hat OpenShift in Adopters by [@&#8203;KeenonLee](https://github.com/KeenonLee) in external-secrets/external-secrets#5039
- fix: remove authentication option with JWT token from STSSessionToken generator by [@&#8203;Skarlso](https://github.com/Skarlso) in external-secrets/external-secrets#5026
- fix: add validation constraints to ExternalSecretRewrite  by [@&#8203;Aakkash-Suresh](https://github.com/Aakkash-Suresh) in external-secrets/external-secrets#5006
- fix: stability support matrix by [@&#8203;gusfcarvalho](https://github.com/gusfcarvalho) in external-secrets/external-secrets#5043
- docs(decoding-strategy): clarify base64 auto-detection limitations by [@&#8203;orymate](https://github.com/orymate) in external-secrets/external-secrets#5004
- feat(infisical): auth methods by [@&#8203;DanielHougaard](https://github.com/DanielHougaard) in external-secrets/external-secrets#5040
- chore(deps): bump alpine from 3.22.0 to 3.22.1 in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5046
- chore(aws): parameterstore unit tests improvement by [@&#8203;ivankatliarchuk](https://github.com/ivankatliarchuk) in external-secrets/external-secrets#4986
- fix(helm): grafana dashboard: fix heatmaps to actually be heatmaps, not time series by [@&#8203;desaintmartin](https://github.com/desaintmartin) in external-secrets/external-secrets#5069
- chore(deps): bump sigstore/cosign-installer from 3.9.1 to 3.9.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5047
- chore(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5048
- chore(deps): bump golang from `ddf5200` to `daae04e` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5049
- chore(deps): bump alpine from `8a1f59f` to `4bcff63` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5051
- chore(deps): bump alpine from `8a1f59f` to `4bcff63` in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5052
- chore(deps): bump mkdocs-material from 9.6.15 to 9.6.16 in /hack/api-docs by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5077
- Add SelfSubjectAccessReview as a fallback for failing SelfSubjectRulesReview by [@&#8203;alvin-rw](https://github.com/alvin-rw) in external-secrets/external-secrets#5025
- chore(deps): bump golang from `69adc37` to `ef8c5c7` in /e2e by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5076
- chore(deps): bump ubi8/ubi from `c0b0729` to `785d38c` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5075
- chore(deps): bump github/codeql-action from 3.29.2 to 3.29.4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5072
- chore(deps): bump anchore/sbom-action from 0.20.2 to 0.20.4 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in external-secrets/external-secrets#5073
- SSHKey generator by [@&#8203;dex4er](https://github.com/dex4er) in external-secrets/external-secrets#5083
- fix: restore AWS credential chain resolution for ECRAuthorizationToken generator by [@&#8203;aditmeno](https://github.com/aditmeno) in external-secrets/external-secrets#5082
- fix(helm): grafana dashboard: add widget for sum of not ready secrets by [@&#8203;desaintmartin](https://github.com/desaintmartin) in external-secrets/external-secrets#5086
- feat(aws): secretsmanager to update/patch/delete tags by [@&#8203;ivankatliarchuk](https://github.com/ivankatliarchuk) in external-secrets/external-secrets#4984
- fix: update the e2e test with the new store status value by [@&#8203;Skarlso](https://github.com/Skarlso) in external-secrets/external-secrets#5089
- fix: correct usage of if in dlc and update for server side apply by [@&#8203;Skarlso](https://github.com/Skarlso) in external-secrets/external-secrets#5092

#### New Contributors

- [@&#8203;sylvainOL](https://github.com/sylvainOL) made their first contribution in external-secrets/external-secrets#5017
- [@&#8203;prakash-218](https://github.com/prakash-218) made their first contribution in external-secrets/external-secrets#5019
- [@&#8203;rclsilver](https://github.com/rclsilver) made their first contribution in external-secrets/external-secrets#4745
- [@&#8203;bainsy88](https://github.com/bainsy88) made their first contribution in external-secrets/external-secrets#5037
- [@&#8203;KeenonLee](https://github.com/KeenonLee) made their first contribution in external-secrets/external-secrets#5039
- [@&#8203;orymate](https://github.com/orymate) made their first contribution in external-secrets/external-secrets#5004
- [@&#8203;desaintmartin](https://github.com/desaintmartin) made their first contribution in external-secrets/external-secrets#5069
- [@&#8203;alvin-rw](https://github.com/alvin-rw) made their first contribution in external-secrets/external-secrets#5025
- [@&#8203;dex4er](https://github.com/dex4er) made their first contribution in external-secrets/external-secrets#5083
- [@&#8203;aditmeno](https://github.com/aditmeno) made their first contribution in external-secrets/external-secrets#5082

**Full Changelog**: external-secrets/external-secrets@v0.18.2...v0.19.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1114
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
jjacobs-poa pushed a commit to jjacobs-poa/external-secrets that referenced this pull request Aug 4, 2025
@ivankatliarchuk @jjacobs-poa
feat(aws): secretsmanager to update/patch/delete tags (external-secre…
67394ce 
…ts#4984)

* feat(aws): secretsmanager to update/patch/delete tags

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* feat(aws): secretsmanager to update/patch/delete tags

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* feat(aws): secretsmanager to update/patch/delete tags

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

---------

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>
Skarlso added a commit that referenced this pull request Aug 6, 2025
@jjacobs-poa @ivankatliarchuk
@Skarlso @IdanAdar
deployment strategy support (#5091)
3e0dadc 
* feat(aws): secretsmanager to update/patch/delete tags (#4984)

* feat(aws): secretsmanager to update/patch/delete tags

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* feat(aws): secretsmanager to update/patch/delete tags

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

* feat(aws): secretsmanager to update/patch/delete tags

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>

---------

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* Implement strategy support for deployments

Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* test: add missing templates to strategy tests…)

Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* test: fix asserts

Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* fix: update the e2e test with the new store status value (#5089)

* fix: update the e2e test with the new store status value

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* add argo server side apply option

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fix tab character instead of spaces 🤦

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* add replace true for CRD updates

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* increase arcocd version and remove replace

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* fix: correct usage of if in dlc and update for server side apply (#5092)

* fix: correct usage of if in dlc and update for server side apply

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* fix tilt server side apply

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* chore: release helm chart for v0.19.0 (#5093)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* chore: remove ubi note (#5094)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

* test: fix readme

Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>

---------

Signed-off-by: ivan katliarchuk <ivan.katliarchuk@gmail.com>
Signed-off-by: Jeroen Jacobs <jeroen.jacobs@portofantwerpbruges.com>
Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Ivan Ka <5395690+ivankatliarchuk@users.noreply.github.com>
Co-authored-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Co-authored-by: Idan Adar <iadar@il.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Skarlso Skarlso Skarlso approved these changes

@gusfcarvalho gusfcarvalho Awaiting requested review from gusfcarvalho gusfcarvalho was automatically assigned from external-secrets/maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ivankatliarchuk @Skarlso