docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs#5208
Merged
gusfcarvalho merged 4 commits intoexternal-secrets:mainfrom Sep 1, 2025
Conversation
…ret Manager provider docs Signed-off-by: Kilian Kluge <dev@kluge.ai>
2d33472 to
ec63f92
Compare
5 tasks
Member
|
We should still make it clear to users within the docs that adding those fields is a possibility. Only removing this seems bad. |
Contributor
Author
In principle, I agree. Happy to add a section about it. But what would be a situation where one still needs them? If there is no access to the metadata server to look up the values, WIF will not work either, right? ETA: The only situation I can think of is where ESO is blocked from accessing the metadata server due to network policies. Is that a realistic scenario? Would that still work? |
Member
IMO this is more about preventing to use metadata-server over a fixed configuration. I.e. spoofing prevention. how many people actually care about this? No idea 🤷🏽♂️ We should discuss deprecating this code path ; but until the code path remains, we should document to users this exists (even if it’s not our own preference as a project) |
Signed-off-by: Kilian Kluge <dev@kluge.ai>
Contributor
Author
That's fair. I added a section about specifying these values without discussing reasons why one might want to do so. FWIW, I believe deprecating this code is the way to go, as it aligns with how GCP/GKE model identities in WIF (i.e., Kubernetes SAs are identified by project ID, namespace, and name, but not by cluster name or cluster location, so an IAM binding applies to all Kubernetes service accounts on any cluster in a GCP project, as long as the name and namespace match.) |
Signed-off-by: Kilian Kluge <dev@kluge.ai>
gusfcarvalho
approved these changes
Sep 1, 2025
|
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Sep 23, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `0.19.2` -> `0.20.1` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v0.20.1`](https://github.com/external-secrets/external-secrets/releases/tag/v0.20.1) [Compare Source](external-secrets/external-secrets@v0.19.2...v0.20.1) Image: `ghcr.io/external-secrets/external-secrets:v0.20.1` Image: `ghcr.io/external-secrets/external-secrets:v0.20.1-ubi` Image: `ghcr.io/external-secrets/external-secrets:v0.20.1-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### General - chore: release 0.19.2 by [@​moolen](https://github.com/moolen) in [#​5136](external-secrets/external-secrets#5136) - chore: update readme by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5137](external-secrets/external-secrets#5137) - fix(kubernetes): make auth field optional by [@​mhrabovcin](https://github.com/mhrabovcin) in [#​5064](external-secrets/external-secrets#5064) - chore: Fix Markdown spelling issues found by codespell by [@​mjtrangoni](https://github.com/mjtrangoni) in [#​5139](external-secrets/external-secrets#5139) - Fix yaml codeblock for oracle-vault provider docs by [@​muckelba](https://github.com/muckelba) in [#​5146](external-secrets/external-secrets#5146) - feat: add liveness probe to eso controller by [@​Skarlso](https://github.com/Skarlso) in [#​4930](external-secrets/external-secrets#4930) - fix(helm): add boolean for processClusterGenerator by [@​DrummyFloyd](https://github.com/DrummyFloyd) in [#​5144](external-secrets/external-secrets#5144) - chore: add Cisco to ADOPTERS.md by [@​sriaradhyula](https://github.com/sriaradhyula) in [#​5159](external-secrets/external-secrets#5159) - docs: Fix provider stability and support table by [@​jonstacks](https://github.com/jonstacks) in [#​5161](external-secrets/external-secrets#5161) - feat(helm): Add control of response to missing prometheus CRDs by [@​jcpunk](https://github.com/jcpunk) in [#​5087](external-secrets/external-secrets#5087) - chore: Added release notes configuration by [@​bonddim](https://github.com/bonddim) in [#​5148](external-secrets/external-secrets#5148) - chore: bump bitwarden helm chart version by [@​Skarlso](https://github.com/Skarlso) in [#​5044](external-secrets/external-secrets#5044) - chore(docs): update `ADOPTERS.md` to include SAP by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5165](external-secrets/external-secrets#5165) - feat: add externalsecret namespace for webhook provider by [@​matheusmazzoni](https://github.com/matheusmazzoni) in [#​5155](external-secrets/external-secrets#5155) - fix: add unknown status for secret store by [@​alvin-rw](https://github.com/alvin-rw) in [#​5070](external-secrets/external-secrets#5070) - Fix pushing to an AWS Secrets Manager Secret when there are no secret values by [@​nirajsapkota](https://github.com/nirajsapkota) in [#​4878](external-secrets/external-secrets#4878) - add extralabels for dashboard to be scraped by multiple grafana instances by [@​L1ghtman2k](https://github.com/L1ghtman2k) in [#​5138](external-secrets/external-secrets#5138) - fix: the api docs are not referencing sshkey generator by [@​Skarlso](https://github.com/Skarlso) in [#​5170](external-secrets/external-secrets#5170) - Update github.md by [@​gecube](https://github.com/gecube) in [#​5171](external-secrets/external-secrets#5171) - Update anchore-engine-credentials.md by [@​gecube](https://github.com/gecube) in [#​5172](external-secrets/external-secrets#5172) - docs: update infisical docs to clarify missing system:auth-delegator need by [@​Skarlso](https://github.com/Skarlso) in [#​5174](external-secrets/external-secrets#5174) - Adding support different type auth sources by [@​preved911](https://github.com/preved911) in [#​4877](external-secrets/external-secrets#4877) - fix: stability update document did not update the stability table correctly by [@​Skarlso](https://github.com/Skarlso) in [#​5176](external-secrets/external-secrets#5176) - Add esv1.AnnotationForceSync for CES and ES by [@​ntnn](https://github.com/ntnn) in [#​5156](external-secrets/external-secrets#5156) - fix: helm build failing by [@​Skarlso](https://github.com/Skarlso) in [#​5178](external-secrets/external-secrets#5178) - fix: remove release- branch automation by [@​moolen](https://github.com/moolen) in [#​5182](external-secrets/external-secrets#5182) - chore: update dependencies by [@​eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#​5181](external-secrets/external-secrets#5181) - docs: update bitwarden documentation for dataFrom field usage by [@​Skarlso](https://github.com/Skarlso) in [#​5196](external-secrets/external-secrets#5196) - feat: add contributor ladder by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5150](external-secrets/external-secrets#5150) - feat: support vault provider check and set for push secrets by [@​webstradev](https://github.com/webstradev) in [#​5197](external-secrets/external-secrets#5197) - chore(docs): update helm charts by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5203](external-secrets/external-secrets#5203) - chore(ci): fix sonarqube security warnings in helm.yml by [@​webstradev](https://github.com/webstradev) in [#​5202](external-secrets/external-secrets#5202) - chore: add pull request maintenance auto labelling and sizes by [@​Skarlso](https://github.com/Skarlso) in [#​5200](external-secrets/external-secrets#5200) - fix: update the label verification step by [@​Skarlso](https://github.com/Skarlso) in [#​5209](external-secrets/external-secrets#5209) - feat: add infisical k8s auth with Client JWT as Reviewer JWT Token support by [@​tuxtof](https://github.com/tuxtof) in [#​5168](external-secrets/external-secrets#5168) - feat: improve error message for json marshalling/unmarshalling by [@​webstradev](https://github.com/webstradev) in [#​5211](external-secrets/external-secrets#5211) - chore: enhance `helm-values-schema-json` schema plugin management logic by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5212](external-secrets/external-secrets#5212) - fix(aws): stop incrementing the UUID for versions by [@​Skarlso](https://github.com/Skarlso) in [#​5175](external-secrets/external-secrets#5175) - feat: enable secure serving for metrics \[issue 4614] by [@​rkferreira](https://github.com/rkferreira) in [#​5169](external-secrets/external-secrets#5169) - fix(infisical): fix TokenAuth auth method by escaping the token revocation by [@​arthlr](https://github.com/arthlr) in [#​5217](external-secrets/external-secrets#5217) - fix: tilt build was failing to rebuild by [@​Skarlso](https://github.com/Skarlso) in [#​5225](external-secrets/external-secrets#5225) - feat: add selectable fields to the CRDs by [@​Skarlso](https://github.com/Skarlso) in [#​5226](external-secrets/external-secrets#5226) - ref: removing Yandex Cloud specific common types declaration duplication by [@​preved911](https://github.com/preved911) in [#​4905](external-secrets/external-secrets#4905) - fix: missing codeowners file from .github folder by [@​Skarlso](https://github.com/Skarlso) in [#​5228](external-secrets/external-secrets#5228) - feat: add setting remote namespace to metadata for kubernetes provider by [@​Skarlso](https://github.com/Skarlso) in [#​5224](external-secrets/external-secrets#5224) - feat: add support for certs only in pkcs12 by [@​devnopt](https://github.com/devnopt) in [#​4875](external-secrets/external-secrets#4875) - docs: document redundant clusterName/clusterLocation parameters in GCP Secret Manager docs by [@​ionicsolutions](https://github.com/ionicsolutions) in [#​5208](external-secrets/external-secrets#5208) - feat: Allow adding finalizers from template by [@​malovme](https://github.com/malovme) in [#​5140](external-secrets/external-secrets#5140) - fix: controller-runtime update by [@​gusfcarvalho](https://github.com/gusfcarvalho) in [#​5239](external-secrets/external-secrets#5239) - chore: update dependencies by [@​eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#​5229](external-secrets/external-secrets#5229) - fix: Prevent secretstore reconcile loop when provider error response is dynamic by [@​dakotaharden](https://github.com/dakotaharden) in [#​5247](external-secrets/external-secrets#5247) - feat: add finalizers to SecretStores when referenced by PushSecrets with DeletionPolicy=Delete by [@​matheusmazzoni](https://github.com/matheusmazzoni) in [#​5163](external-secrets/external-secrets#5163) - fix: keepersecurity support for shortcuts by [@​pepordev](https://github.com/pepordev) in [#​5245](external-secrets/external-secrets#5245) - feat: add support for GCP Workload Identity Federation by [@​bharath-b-rh](https://github.com/bharath-b-rh) in [#​4654](external-secrets/external-secrets#4654) - feat: support fetching secrets and certificates by name in Yandex Lockbox & Certificate Manager by [@​alliseeisgold](https://github.com/alliseeisgold) in [#​5022](external-secrets/external-secrets#5022) - chore(charts): Adds new make target for installing unittest plugin by [@​bharath-b-rh](https://github.com/bharath-b-rh) in [#​5250](external-secrets/external-secrets#5250) - docs(templating): added clarifying comments to Github generator example by [@​nielstenboom](https://github.com/nielstenboom) in [#​5248](external-secrets/external-secrets#5248) - feat(release): add new workflow to label first time contributor issues by [@​mouhsen-ibrahim](https://github.com/mouhsen-ibrahim) in [#​5243](external-secrets/external-secrets#5243) - feat(security): Adds an option to make HTTP2 configurable by [@​siddhibhor-56](https://github.com/siddhibhor-56) in [#​5231](external-secrets/external-secrets#5231) - feat: add retry for onepassword on authorization error by [@​Skarlso](https://github.com/Skarlso) in [#​5253](external-secrets/external-secrets#5253) - fix: handle namespace deletion race conditions with finalizers by [@​framsouza](https://github.com/framsouza) in [#​5154](external-secrets/external-secrets#5154) - docs: update stability and support by [@​anders-swanson](https://github.com/anders-swanson) in [#​5257](external-secrets/external-secrets#5257) - fix(akeyless): Upgrade Akeyless Provider Go SDK to v4 by [@​kgal-akl](https://github.com/kgal-akl) in [#​5263](external-secrets/external-secrets#5263) - feat: support Pod Identity authentication for Vault Provider by [@​webstradev](https://github.com/webstradev) in [#​5201](external-secrets/external-secrets#5201) - feat: add domain field to secretserver provider by [@​rkferreira](https://github.com/rkferreira) in [#​5258](external-secrets/external-secrets#5258) - chore(release): Migrate to actions/create-github-app-token action by [@​mouhsen-ibrahim](https://github.com/mouhsen-ibrahim) in [#​5264](external-secrets/external-secrets#5264) - chore: just updating the crd conformance tests by [@​Skarlso](https://github.com/Skarlso) in [#​5265](external-secrets/external-secrets#5265) - chore(revert): "chore(release): Migrate to actions/create-github-app-token action" by [@​Skarlso](https://github.com/Skarlso) in [#​5269](external-secrets/external-secrets#5269) - chore: azure sdk update by [@​hauswio](https://github.com/hauswio) in [#​5162](external-secrets/external-secrets#5162) - feat: add support for fetching Secret by Path on Delinea Secret Server provider by [@​DelineaSahilWankhede](https://github.com/DelineaSahilWankhede) in [#​5270](external-secrets/external-secrets#5270) - feat: migrate from tibdex to actions/create-github-app-token by [@​rkferreira](https://github.com/rkferreira) in [#​5286](external-secrets/external-secrets#5286) - fix: license headers across all Go files - standardize format, add missing copyright, fix typos by [@​Copilot](https://github.com/Copilot) in [#​5288](external-secrets/external-secrets#5288) - fix: the boilerplate was missing the right license format by [@​Skarlso](https://github.com/Skarlso) in [#​5289](external-secrets/external-secrets#5289) - chore(license): add automated license header checking using Apache SkyWalking Eyes GitHub Action by [@​Copilot](https://github.com/Copilot) in [#​5290](external-secrets/external-secrets#5290) - chore(docs): remove GitHub Discussions references and update support channels by [@​jakobmoellerdev](https://github.com/jakobmoellerdev) in [#​5292](external-secrets/external-secrets#5292) - docs: updated the ladder with two new tracks: documentation and community by [@​Skarlso](https://github.com/Skarlso) in [#​5298](external-secrets/external-secrets#5298) - docs(release): create upgrading section by [@​rkferreira](https://github.com/rkferreira) in [#​5310](external-secrets/external-secrets#5310) - docs: readme update for health of the project by [@​Skarlso](https://github.com/Skarlso) in [#​5309](external-secrets/external-secrets#5309) - fix: validate namespace in secretRef by [@​moolen](https://github.com/moolen) in [#​5311](external-secrets/external-secrets#5311) - docs: add burnout prevention strategies and mitigation policy document by [@​Skarlso](https://github.com/Skarlso) in [#​5307](external-secrets/external-secrets#5307) - feat: add missing go sbom by [@​moolen](https://github.com/moolen) in [#​5313](external-secrets/external-secrets#5313) - feat: make vault e2e tests run locally by [@​moolen](https://github.com/moolen) in [#​5246](external-secrets/external-secrets#5246) - chore: update dependencies by [@​eso-service-account-app](https://github.com/eso-service-account-app)\[bot] in [#​5324](external-secrets/external-secrets#5324) - feat: add Cloudsmith generator for container registry authentication by [@​cloudsmith-iduffy](https://github.com/cloudsmith-iduffy) in [#​5267](external-secrets/external-secrets#5267) - feat: Add lgtm review automation step to ci workflows. by [@​webstradev](https://github.com/webstradev) in [#​5251](external-secrets/external-secrets#5251) - feat(provider): add Volcengine provider support by [@​kevinyancn](https://github.com/kevinyancn) in [#​5306](external-secrets/external-secrets#5306) - test: add more information to potentially flaky test by [@​Skarlso](https://github.com/Skarlso) in [#​5330](external-secrets/external-secrets#5330) - fix(docs): Fix typo in controller options doc by [@​tspearconquest](https://github.com/tspearconquest) in [#​5299](external-secrets/external-secrets#5299) - chore(testing): Add licence.check make target by [@​jonstacks](https://github.com/jonstacks) in [#​5335](external-secrets/external-secrets#5335) - docs(gitlab-variables): document environment scope fallback by [@​s1nyx](https://github.com/s1nyx) in [#​5300](external-secrets/external-secrets#5300) ##### Dependencies - chore(deps): bump mkdocs-macros-plugin from 1.3.7 to 1.3.9 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5190](external-secrets/external-secrets#5190) - chore(deps): bump requests from 2.32.4 to 2.32.5 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5191](external-secrets/external-secrets#5191) - chore(deps): bump golang from 1.24.6-bookworm to 1.25.0-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5189](external-secrets/external-secrets#5189) - chore(deps): bump goreleaser/goreleaser-action from 6.3.0 to 6.4.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5188](external-secrets/external-secrets#5188) - chore(deps): bump actions/create-github-app-token from 2.1.0 to 2.1.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5187](external-secrets/external-secrets#5187) - chore(deps): bump anchore/sbom-action from 0.20.4 to 0.20.5 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5186](external-secrets/external-secrets#5186) - chore(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5184](external-secrets/external-secrets#5184) - chore(deps): bump golang from 1.24.6 to 1.25.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5194](external-secrets/external-secrets#5194) - chore(deps): bump github/codeql-action from 3.29.8 to 3.29.11 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5195](external-secrets/external-secrets#5195) - chore(deps): bump ubi8/ubi from `4f0a4e4` to `7010e70` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5193](external-secrets/external-secrets#5193) - chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5192](external-secrets/external-secrets#5192) - chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5198](external-secrets/external-secrets#5198) - chore(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5199](external-secrets/external-secrets#5199) - chore(deps): bump aquasecurity/trivy-action from 0.32.0 to 0.33.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5234](external-secrets/external-secrets#5234) - chore(deps): bump actions/dependency-review-action from 4.7.2 to 4.7.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5236](external-secrets/external-secrets#5236) - chore(deps): bump ubi8/ubi from `7010e70` to `534c2c0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5237](external-secrets/external-secrets#5237) - chore(deps): bump actions/attest-build-provenance from 2.4.0 to 3.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5238](external-secrets/external-secrets#5238) - chore(deps): bump regex from 2025.7.34 to 2025.8.29 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5242](external-secrets/external-secrets#5242) - chore(deps): bump platformdirs from 4.3.8 to 4.4.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5241](external-secrets/external-secrets#5241) - chore(deps): bump distroless/static from `2e114d2` to `f2ff10a` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5240](external-secrets/external-secrets#5240) - chore(deps): bump golang from 1.25.0 to 1.25.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5275](external-secrets/external-secrets#5275) - chore(deps): bump actions/github-script from 7.0.1 to 8.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5274](external-secrets/external-secrets#5274) - chore(deps): bump actions/stale from 9.1.0 to 10.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5273](external-secrets/external-secrets#5273) - chore(deps): bump actions/setup-go from 5.5.0 to 6.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5276](external-secrets/external-secrets#5276) - chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5279](external-secrets/external-secrets#5279) - chore(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5278](external-secrets/external-secrets#5278) - chore(deps): bump github/codeql-action from 3.29.11 to 3.30.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5277](external-secrets/external-secrets#5277) - chore(deps): bump markdown from 3.8.2 to 3.9 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5281](external-secrets/external-secrets#5281) - chore(deps): bump golang from 1.25.0-bookworm to 1.25.1-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5280](external-secrets/external-secrets#5280) - chore(deps): bump regex from 2025.8.29 to 2025.9.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5282](external-secrets/external-secrets#5282) - chore(deps): bump golang from `b6ed3fd` to `b6ed3fd` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5318](external-secrets/external-secrets#5318) - chore(deps): bump actions/setup-python from 5.6.0 to 6.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5317](external-secrets/external-secrets#5317) - chore(deps): bump github/codeql-action from 3.30.1 to 3.30.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5319](external-secrets/external-secrets#5319) - chore(deps): bump distroless/static from `f2ff10a` to `87bce11` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5320](external-secrets/external-secrets#5320) - chore(deps): bump actions/labeler from 5.0.0 to 6.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5323](external-secrets/external-secrets#5323) - chore(deps): bump softprops/action-gh-release from 2.3.2 to 2.3.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5321](external-secrets/external-secrets#5321) - chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5322](external-secrets/external-secrets#5322) - chore(deps): bump actions/create-github-app-token from 2.1.1 to 2.1.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5339](external-secrets/external-secrets#5339) - chore(deps): bump aquasecurity/trivy-action from 0.33.0 to 0.33.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5344](external-secrets/external-secrets#5344) - chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5345](external-secrets/external-secrets#5345) - chore(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5343](external-secrets/external-secrets#5343) - chore(deps): bump sigstore/cosign-installer from 3.9.2 to 3.10.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5340](external-secrets/external-secrets#5340) - chore(deps): bump anchore/sbom-action from 0.20.5 to 0.20.6 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5341](external-secrets/external-secrets#5341) - chore(deps): bump regex from 2025.9.1 to 2025.9.18 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5346](external-secrets/external-secrets#5346) - chore(deps): bump apache/skywalking-eyes from 0.6.0 to 0.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5342](external-secrets/external-secrets#5342) #### New Contributors - [@​mjtrangoni](https://github.com/mjtrangoni) made their first contribution in [#​5139](external-secrets/external-secrets#5139) - [@​muckelba](https://github.com/muckelba) made their first contribution in [#​5146](external-secrets/external-secrets#5146) - [@​DrummyFloyd](https://github.com/DrummyFloyd) made their first contribution in [#​5144](external-secrets/external-secrets#5144) - [@​sriaradhyula](https://github.com/sriaradhyula) made their first contribution in [#​5159](external-secrets/external-secrets#5159) - [@​jonstacks](https://github.com/jonstacks) made their first contribution in [#​5161](external-secrets/external-secrets#5161) - [@​matheusmazzoni](https://github.com/matheusmazzoni) made their first contribution in [#​5155](external-secrets/external-secrets#5155) - [@​nirajsapkota](https://github.com/nirajsapkota) made their first contribution in [#​4878](external-secrets/external-secrets#4878) - [@​L1ghtman2k](https://github.com/L1ghtman2k) made their first contribution in [#​5138](external-secrets/external-secrets#5138) - [@​gecube](https://github.com/gecube) made their first contribution in [#​5171](external-secrets/external-secrets#5171) - [@​preved911](https://github.com/preved911) made their first contribution in [#​4877](external-secrets/external-secrets#4877) - [@​ntnn](https://github.com/ntnn) made their first contribution in [#​5156](external-secrets/external-secrets#5156) - [@​webstradev](https://github.com/webstradev) made their first contribution in [#​5197](external-secrets/external-secrets#5197) - [@​rkferreira](https://github.com/rkferreira) made their first contribution in [#​5169](external-secrets/external-secrets#5169) - [@​arthlr](https://github.com/arthlr) made their first contribution in [#​5217](external-secrets/external-secrets#5217) - [@​devnopt](https://github.com/devnopt) made their first contribution in [#​4875](external-secrets/external-secrets#4875) - [@​dakotaharden](https://github.com/dakotaharden) made their first contribution in [#​5247](external-secrets/external-secrets#5247) - [@​bharath-b-rh](https://github.com/bharath-b-rh) made their first contribution in [#​4654](external-secrets/external-secrets#4654) - [@​alliseeisgold](https://github.com/alliseeisgold) made their first contribution in [#​5022](external-secrets/external-secrets#5022) - [@​nielstenboom](https://github.com/nielstenboom) made their first contribution in [#​5248](external-secrets/external-secrets#5248) - [@​siddhibhor-56](https://github.com/siddhibhor-56) made their first contribution in [#​5231](external-secrets/external-secrets#5231) - [@​framsouza](https://github.com/framsouza) made their first contribution in [#​5154](external-secrets/external-secrets#5154) - [@​kgal-akl](https://github.com/kgal-akl) made their first contribution in [#​5263](external-secrets/external-secrets#5263) - [@​hauswio](https://github.com/hauswio) made their first contribution in [#​5162](external-secrets/external-secrets#5162) - [@​Copilot](https://github.com/Copilot) made their first contribution in [#​5288](external-secrets/external-secrets#5288) - [@​cloudsmith-iduffy](https://github.com/cloudsmith-iduffy) made their first contribution in [#​5267](external-secrets/external-secrets#5267) - [@​kevinyancn](https://github.com/kevinyancn) made their first contribution in [#​5306](external-secrets/external-secrets#5306) - [@​s1nyx](https://github.com/s1nyx) made their first contribution in [#​5300](external-secrets/external-secrets#5300) **Full Changelog**: <external-secrets/external-secrets@v0.19.2...v0.20.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xMTYuNiIsInVwZGF0ZWRJblZlciI6IjQxLjExNi42IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjaGFydCJdfQ==--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1555 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Feb 3, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
5 tasks
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Feb 9, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 4, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 11, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
Since #4575 it's no longer necessary to define
clusterNameandclusterLocationwhen setting up aSecretStoreon a GKE cluster.This PR updates the GCP Secret Manager provider docs to reflect this UX enhancement.
Related Issue
Documents #4575
Proposed Changes
N/A
Checklist
git commit --signoffmake testmake reviewable