feat(container): update ghcr.io/external-secrets/charts/external-secrets ( 0.18.2 → 0.19.0 )

[mchesterbot]

This PR contains the following updates:

Package	Update	Change
ghcr.io/external-secrets/charts/external-secrets	minor	0.18.2 -> 0.19.0

---

Release Notes

external-secrets/external-secrets (ghcr.io/external-secrets/charts/external-secrets)

v0.19.0

Compare Source

BREAKING CHANGE

🔴 🔴 BREAKING CHANGE 🔴 🔴

Please note that this a breaking change because our CRDs are now too big. Meaning a simple kubectl apply or Argo's default client side apply WILL NOT WORK! You have to add --server-side to kubectl apply and in argo add:

spec:
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true

How to do it in kubectl:

kubectl apply --server-side ...

for it to correctly install the CRDs. Thank you.

Image: ghcr.io/external-secrets/external-secrets:v0.19.0
Image: ghcr.io/external-secrets/external-secrets:v0.19.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.19.0-ubi-boringssl

What's Changed

• chore: release helm chart for v0.18.2 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4985
• chore(deps): bump golang from ee7ff13 to 10f549d in /e2e by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/49977
• chore(deps): bump golang from 68932fa to 68932fa by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50000
• chore(deps): bump mkdocs-material from 9.6.14 to 9.6.15 in /hack/api-docs by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/49988
• chore(deps): bump anchore/sbom-action from 0.20.1 to 0.20.2 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50011
• chore(deps): bump github/codeql-action from 3.29.1 to 3.29.2 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50033
• chore(deps): bump aquasecurity/trivy-action from 0.31.0 to 0.32.0 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50022
• fix: do not turn original value into string on value scope by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/5011
• fix: add uuid in edit and view clusterroles by @​sylvainOL in https://github.com/external-secrets/external-secrets/pull/5017
• chore: update dependencies by @​eso-service-account-app[bot] inhttps://github.com/external-secrets/external-secrets/pull/49999
• fix: template data should not be the secret Data itself by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/5023
• Fix: Return appropriate error in ValidateStore by @​prakash-218 in https://github.com/external-secrets/external-secrets/pull/5019
• feat(helm): allow to set init containers by @​rclsilver in https://github.com/external-secrets/external-secrets/pull/4745
• chore(deps): bump certifi from 2025.6.15 to 2025.7.14 in /hack/api-docs by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50322
• Fix: Remove root/buildinfo from ubi build files by @​bainsy88 in https://github.com/external-secrets/external-secrets/pull/5037
• chore(deps): bump ubi8/ubi from 19eae3d to c0b0729 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50333
• chore(deps): bump golang from 1.24.4-bookworm to 1.24.5-bookworm in /e2e by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50299
• chore(deps): bump golang from 1.24.4 to 1.24.5 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50344
• chore: update dependencies by @​eso-service-account-app[bot] inhttps://github.com/external-secrets/external-secrets/pull/50311
• Add Red Hat OpenShift in Adopters by @​KeenonLee in https://github.com/external-secrets/external-secrets/pull/5039
• fix: remove authentication option with JWT token from STSSessionToken generator by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/5026
• fix: add validation constraints to ExternalSecretRewrite by @​Aakkash-Suresh in https://github.com/external-secrets/external-secrets/pull/5006
• fix: stability support matrix by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/5043
• docs(decoding-strategy): clarify base64 auto-detection limitations by @​orymate in https://github.com/external-secrets/external-secrets/pull/5004
• feat(infisical): auth methods by @​DanielHougaard in https://github.com/external-secrets/external-secrets/pull/5040
• chore(deps): bump alpine from 3.22.0 to 3.22.1 in /e2e by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50466
• chore(aws): parameterstore unit tests improvement by @​ivankatliarchuk in https://github.com/external-secrets/external-secrets/pull/4986
• fix(helm): grafana dashboard: fix heatmaps to actually be heatmaps, not time series by @​desaintmartin in https://github.com/external-secrets/external-secrets/pull/5069
• chore(deps): bump sigstore/cosign-installer from 3.9.1 to 3.9.2 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50477
• chore(deps): bump step-security/harden-runner from 2.12.2 to 2.13.0 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50488
• chore(deps): bump golang from ddf5200 to daae04e by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50499
• chore(deps): bump alpine from 8a1f59f to 4bcff63 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50511
• chore(deps): bump alpine from 8a1f59f to 4bcff63 in /hack/api-docs by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50522
• chore(deps): bump mkdocs-material from 9.6.15 to 9.6.16 in /hack/api-docs by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50777
• Add SelfSubjectAccessReview as a fallback for failing SelfSubjectRulesReview by @​alvin-rw in https://github.com/external-secrets/external-secrets/pull/5025
• chore(deps): bump golang from 69adc37 to ef8c5c7 in /e2e by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50766
• chore(deps): bump ubi8/ubi from c0b0729 to 785d38c by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50755
• chore(deps): bump github/codeql-action from 3.29.2 to 3.29.4 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50722
• chore(deps): bump anchore/sbom-action from 0.20.2 to 0.20.4 by @​dependabot[bot] inhttps://github.com/external-secrets/external-secrets/pull/50733
• SSHKey generator by @​dex4er in https://github.com/external-secrets/external-secrets/pull/5083
• fix: restore AWS credential chain resolution for ECRAuthorizationToken generator by @​aditmeno in https://github.com/external-secrets/external-secrets/pull/5082
• fix(helm): grafana dashboard: add widget for sum of not ready secrets by @​desaintmartin in https://github.com/external-secrets/external-secrets/pull/5086
• feat(aws): secretsmanager to update/patch/delete tags by @​ivankatliarchuk in https://github.com/external-secrets/external-secrets/pull/4984
• fix: update the e2e test with the new store status value by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/5089
• fix: correct usage of if in dlc and update for server side apply by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/5092

New Contributors

• @​sylvainOL made their first contribution in https://github.com/external-secrets/external-secrets/pull/5017
• @​prakash-218 made their first contribution in https://github.com/external-secrets/external-secrets/pull/5019
• @​rclsilver made their first contribution in https://github.com/external-secrets/external-secrets/pull/4745
• @​bainsy88 made their first contribution in https://github.com/external-secrets/external-secrets/pull/5037
• @​KeenonLee made their first contribution in https://github.com/external-secrets/external-secrets/pull/5039
• @​orymate made their first contribution in https://github.com/external-secrets/external-secrets/pull/5004
• @​desaintmartin made their first contribution in https://github.com/external-secrets/external-secrets/pull/5069
• @​alvin-rw made their first contribution in https://github.com/external-secrets/external-secrets/pull/5025
• @​dex4er made their first contribution in https://github.com/external-secrets/external-secrets/pull/5083
• @​aditmeno made their first contribution in https://github.com/external-secrets/external-secrets/pull/5082

Full Changelog: external-secrets/external-secrets@v0.18.2...v0.19.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[mchesterbot]

--- kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets OCIRepository: external-secrets/external-secrets

+++ kubernetes/apps/external-secrets/external-secrets/app Kustomization: external-secrets/external-secrets OCIRepository: external-secrets/external-secrets

@@ -11,13 +11,13 @@

 spec:
   interval: 5m
   layerSelector:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 0.18.2
+    tag: 0.19.0
   url: oci://ghcr.io/external-secrets/charts/external-secrets
   verify:
     matchOIDCIdentity:
     - issuer: ^https://token.actions.githubusercontent.com$
       subject: ^https://github.com/external-secrets/external-secrets.*$
     provider: cosign

[mchesterbot]

--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-controller

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-controller

@@ -67,12 +67,13 @@

   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - quayaccesstokens
   - passwords
+  - sshkeys
   - stssessiontokens
   - uuids
   - vaultdynamicsecrets
   - webhooks
   - grafanas
   - mfas
--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-view

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-view

@@ -31,16 +31,18 @@

   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - quayaccesstokens
   - passwords
+  - sshkeys
   - vaultdynamicsecrets
   - webhooks
   - grafanas
   - generatorstates
   - mfas
+  - uuids
   verbs:
   - get
   - watch
   - list
 
--- HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-edit

+++ HelmRelease: external-secrets/external-secrets ClusterRole: external-secrets/external-secrets-edit

@@ -32,17 +32,19 @@

   - ecrauthorizationtokens
   - fakes
   - gcraccesstokens
   - githubaccesstokens
   - quayaccesstokens
   - passwords
+  - sshkeys
   - vaultdynamicsecrets
   - webhooks
   - grafanas
   - generatorstates
   - mfas
+  - uuids
   verbs:
   - create
   - delete
   - deletecollection
   - patch
   - update
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-cert-controller

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.18.2
+        image: ghcr.io/external-secrets/external-secrets:v0.19.0
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=external-secrets
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.18.2
+        image: ghcr.io/external-secrets/external-secrets:v0.19.0
         imagePullPolicy: IfNotPresent
         args:
         - --enable-leader-election=true
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
--- HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-webhook

+++ HelmRelease: external-secrets/external-secrets Deployment: external-secrets/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.18.2
+        image: ghcr.io/external-secrets/external-secrets:v0.19.0
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.external-secrets.svc
         - --cert-dir=/tmp/certs