eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize (#312)

Browse source 
## Summary

- Upgrade External Secrets Operator from v1.3.2 (helm-chart-2.0.0) to v2.2.0
- Migrate from Helm chart deployment to static kustomize manifests, matching the repo's kustomize-first pattern
- Merge separate `-config` ArgoCD apps into the main operator apps (6 → 4 apps)
- Clean up Helm-specific labels (`helm.sh/chart`, `managed-by: Helm`)
- Update README example from v1beta1 to v1 API

## Breaking changes assessment

Low risk — v2.0.0 removed Alibaba and Device42 providers (we use neither). No templating changes affect us. All ExternalSecrets already use v1 API.

## Deployment steps

1. Sync CRDs first on both clusters (new CRD version)
2. Sync operator apps (now kustomize-based)
3. Verify ClusterSecretStore and all ExternalSecrets are healthy
4. Delete orphaned config apps: `argocd app delete external-secrets-config` and `-config-ringtail`
5. `mise run services-check`

Reviewed-on: #312
This commit is contained in:
Erich Blume 2026-03-25 15:56:41 -07:00
commit 796baaa41a
16 changed files with 830 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

24
argocd/apps/external-secrets-config-ringtail.yaml
View file

@ -1,24 +0,0 @@
# External Secrets Configuration for ringtail k3s cluster
# Same ClusterSecretStore manifests as indri, different destination
#
# Prerequisites:
# - 1password-connect-ringtail is deployed and healthy
# - external-secrets-ringtail operator is deployed and CRDs are installed
#
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets-config-ringtail
namespace: argocd
spec:
project: default
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
targetRevision: main
path: argocd/manifests/external-secrets
destination:
server: https://ringtail.tail8d86e.ts.net:6443
namespace: external-secrets
syncPolicy:
syncOptions:
- CreateNamespace=true

26
argocd/apps/external-secrets-config.yaml
View file

@ -1,26 +0,0 @@
# External Secrets Configuration - ClusterSecretStore for 1Password
#
# Deploys the ClusterSecretStore that connects ESO to 1Password Connect.
# Must be synced AFTER external-secrets operator is running.
#
# Prerequisites:
# - 1password-connect is deployed and healthy
# - external-secrets operator is deployed and CRDs are installed
#
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets-config
namespace: argocd
spec:
project: default
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
targetRevision: main
path: argocd/manifests/external-secrets
destination:
server: https://kubernetes.default.svc
namespace: external-secrets
syncPolicy:
syncOptions:
- CreateNamespace=true

2
argocd/apps/external-secrets-crds-ringtail.yaml
View file

@ -12,7 +12,7 @@ spec:
project: default
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
targetRevision: helm-chart-2.0.0
targetRevision: helm-chart-2.2.0
path: config/crds/bases
directory:
exclude: 'kustomization.yaml'

2
argocd/apps/external-secrets-crds.yaml
View file

@ -16,7 +16,7 @@ spec:
project: default
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
targetRevision: helm-chart-2.0.0
targetRevision: helm-chart-2.2.0
path: config/crds/bases
directory:
exclude: 'kustomization.yaml'

15
argocd/apps/external-secrets-ringtail.yaml
View file

@ -1,5 +1,5 @@
# External Secrets Operator for ringtail k3s cluster
# Same chart/values as indri, different destination
# Same manifests as indri, different destination
#
# Prerequisites:
# - 1password-connect-ringtail must be deployed and healthy
@ -12,17 +12,10 @@ metadata:
namespace: argocd
spec:
project: default
sources:
- repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
targetRevision: helm-chart-2.0.0
path: deploy/charts/external-secrets
helm:
releaseName: external-secrets
valueFiles:
- $values/argocd/manifests/external-secrets/values.yaml
- repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
targetRevision: main
ref: values
path: argocd/manifests/external-secrets
destination:
server: https://ringtail.tail8d86e.ts.net:6443
namespace: external-secrets

17
argocd/apps/external-secrets.yaml
View file

@ -1,10 +1,12 @@
# External Secrets Operator - Kubernetes secret sync from external providers
# Syncs secrets from 1Password Connect to native Kubernetes Secrets
#
# Chart mirrored from https://github.com/external-secrets/external-secrets
# Static manifests rendered from upstream Helm chart v2.2.0
# Upstream: https://github.com/external-secrets/external-secrets
#
# Prerequisites:
# - 1password-connect must be deployed and healthy
# - external-secrets-crds must be synced first
#
apiVersion: argoproj.io/v1alpha1
kind: Application
@ -13,17 +15,10 @@ metadata:
namespace: argocd
spec:
project: default
sources:
- repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
targetRevision: helm-chart-2.0.0
path: deploy/charts/external-secrets
helm:
releaseName: external-secrets
valueFiles:
- $values/argocd/manifests/external-secrets/values.yaml
- repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
targetRevision: main
ref: values
path: argocd/manifests/external-secrets
destination:
server: https://kubernetes.default.svc
namespace: external-secrets

2
argocd/manifests/external-secrets/README.md
View file

@ -35,7 +35,7 @@ kubectl --context=minikube-indri get externalsecret -A
To sync a secret from 1Password, create an ExternalSecret in the target namespace:
```yaml
apiVersion: external-secrets.io/v1beta1
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: my-secret

218
argocd/manifests/external-secrets/deployment.yaml Normal file
View file

@ -0,0 +1,218 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-secrets-cert-controller
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
template:
metadata:
labels:
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
spec:
serviceAccountName: external-secrets-cert-controller
automountServiceAccountToken: true
hostNetwork: false
containers:
- name: cert-controller
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:kustomized
imagePullPolicy: IfNotPresent
args:
- certcontroller
- --crd-requeue-interval=5m
- --service-name=external-secrets-webhook
- --service-namespace=external-secrets
- --secret-name=external-secrets-webhook
- --secret-namespace=external-secrets
- --metrics-addr=:8080
- --healthz-addr=:8081
- --loglevel=info
- --zap-time-encoding=epoch
ports:
- containerPort: 8080
protocol: TCP
name: metrics
- containerPort: 8081
protocol: TCP
name: ready
readinessProbe:
httpGet:
port: ready
path: /readyz
initialDelaySeconds: 20
periodSeconds: 5
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 25m
memory: 32Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-secrets
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
template:
metadata:
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
spec:
serviceAccountName: external-secrets
automountServiceAccountToken: true
hostNetwork: false
containers:
- name: external-secrets
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:kustomized
imagePullPolicy: IfNotPresent
args:
- --concurrent=1
- --metrics-addr=:8080
- --loglevel=info
- --zap-time-encoding=epoch
ports:
- containerPort: 8080
protocol: TCP
name: metrics
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
dnsPolicy: ClusterFirst
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-secrets-webhook
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
template:
metadata:
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
spec:
hostNetwork: false
serviceAccountName: external-secrets-webhook
automountServiceAccountToken: true
containers:
- name: webhook
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
image: ghcr.io/external-secrets/external-secrets:kustomized
imagePullPolicy: IfNotPresent
args:
- webhook
- --port=10250
- --dns-name=external-secrets-webhook.external-secrets.svc
- --cert-dir=/tmp/certs
- --check-interval=5m
- --metrics-addr=:8080
- --healthz-addr=:8081
- --loglevel=info
- --zap-time-encoding=epoch
ports:
- containerPort: 8080
protocol: TCP
name: metrics
- containerPort: 10250
protocol: TCP
name: webhook
- containerPort: 8081
protocol: TCP
name: ready
readinessProbe:
httpGet:
port: ready
path: /readyz
initialDelaySeconds: 20
periodSeconds: 5
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 25m
memory: 32Mi
volumeMounts:
- name: certs
mountPath: /tmp/certs
readOnly: true
volumes:
- name: certs
secret:
secretName: external-secrets-webhook

10
argocd/manifests/external-secrets/kustomization.yaml
View file

@ -1,5 +1,15 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- serviceaccount.yaml
- rbac.yaml
- service.yaml
- webhook.yaml
- deployment.yaml
- cluster-secret-store.yaml
images:
- name: ghcr.io/external-secrets/external-secrets
newTag: v2.2.0

445
argocd/manifests/external-secrets/rbac.yaml Normal file
View file

@ -0,0 +1,445 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-cert-controller
labels:
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- "customresourcedefinitions"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "validatingwebhookconfigurations"
verbs:
- "list"
- "watch"
- "get"
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "validatingwebhookconfigurations"
resourceNames:
- "secretstore-validate"
- "externalsecret-validate"
verbs:
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "endpoints"
verbs:
- "list"
- "get"
- "watch"
- apiGroups:
- "discovery.k8s.io"
resources:
- "endpointslices"
verbs:
- "list"
- "get"
- "watch"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
- apiGroups:
- "coordination.k8s.io"
resources:
- "leases"
verbs:
- "get"
- "create"
- "update"
- "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-controller
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "secretstores"
- "clustersecretstores"
- "externalsecrets"
- "clusterexternalsecrets"
- "pushsecrets"
- "clusterpushsecrets"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "externalsecrets/status"
- "externalsecrets/finalizers"
- "secretstores"
- "secretstores/status"
- "secretstores/finalizers"
- "clustersecretstores"
- "clustersecretstores/status"
- "clustersecretstores/finalizers"
- "clusterexternalsecrets"
- "clusterexternalsecrets/status"
- "clusterexternalsecrets/finalizers"
- "pushsecrets"
- "pushsecrets/status"
- "pushsecrets/finalizers"
- "clusterpushsecrets"
- "clusterpushsecrets/status"
- "clusterpushsecrets/finalizers"
verbs:
- "get"
- "update"
- "patch"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "generatorstates"
verbs:
- "get"
- "list"
- "watch"
- "create"
- "update"
- "patch"
- "delete"
- "deletecollection"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "cloudsmithaccesstokens"
- "clustergenerators"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "sshkeys"
- "stssessiontokens"
- "uuids"
- "vaultdynamicsecrets"
- "webhooks"
- "grafanas"
- "mfas"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "serviceaccounts"
- "namespaces"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "namespaces"
verbs:
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "configmaps"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "create"
- "update"
- "delete"
- "patch"
- apiGroups:
- ""
resources:
- "serviceaccounts/token"
verbs:
- "create"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
verbs:
- "create"
- "update"
- "delete"
- apiGroups:
- "external-secrets.io"
resources:
- "pushsecrets"
verbs:
- "create"
- "update"
- "delete"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-view
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
- "pushsecrets"
- "clusterpushsecrets"
verbs:
- "get"
- "watch"
- "list"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "cloudsmithaccesstokens"
- "clustergenerators"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "sshkeys"
- "vaultdynamicsecrets"
- "webhooks"
- "grafanas"
- "generatorstates"
- "mfas"
- "uuids"
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-edit
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
- "pushsecrets"
- "clusterpushsecrets"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
- "update"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "cloudsmithaccesstokens"
- "clustergenerators"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "quayaccesstokens"
- "passwords"
- "sshkeys"
- "vaultdynamicsecrets"
- "webhooks"
- "grafanas"
- "generatorstates"
- "mfas"
- "uuids"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: external-secrets-servicebindings
labels:
servicebinding.io/controller: "true"
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "pushsecrets"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-secrets-cert-controller
labels:
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-secrets-cert-controller
subjects:
- name: external-secrets-cert-controller
namespace: external-secrets
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-secrets-controller
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: external-secrets-controller
subjects:
- name: external-secrets
namespace: external-secrets
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: external-secrets-leaderelection
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
rules:
- apiGroups:
- ""
resources:
- "configmaps"
resourceNames:
- "external-secrets-controller"
verbs:
- "get"
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "configmaps"
verbs:
- "create"
- apiGroups:
- "coordination.k8s.io"
resources:
- "leases"
verbs:
- "get"
- "create"
- "update"
- "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: external-secrets-leaderelection
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: external-secrets-leaderelection
subjects:
- kind: ServiceAccount
name: external-secrets
namespace: external-secrets

22
argocd/manifests/external-secrets/service.yaml Normal file
View file

@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: external-secrets-webhook
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
external-secrets.io/component: webhook
spec:
type: ClusterIP
ports:
- port: 443
targetPort: webhook
protocol: TCP
name: webhook
selector:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets

33
argocd/manifests/external-secrets/serviceaccount.yaml Normal file
View file

@ -0,0 +1,33 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-cert-controller
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-cert-controller
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: external-secrets-webhook
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize

31
argocd/manifests/external-secrets/values.yaml
View file

@ -1,31 +0,0 @@
# External Secrets Operator Helm values for blumeops
# Chart: https://github.com/external-secrets/external-secrets
installCRDs: true
# Resource limits for minikube
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "200m"
webhook:
resources:
requests:
memory: "32Mi"
cpu: "25m"
limits:
memory: "128Mi"
cpu: "100m"
certController:
resources:
requests:
memory: "32Mi"
cpu: "25m"
limits:
memory: "128Mi"
cpu: "100m"

83
argocd/manifests/external-secrets/webhook.yaml Normal file
View file

@ -0,0 +1,83 @@
---
apiVersion: v1
kind: Secret
metadata:
name: external-secrets-webhook
namespace: external-secrets
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
external-secrets.io/component: webhook
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: secretstore-validate
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
external-secrets.io/component: webhook
webhooks:
- name: "validate.secretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["secretstores"]
scope: "Namespaced"
clientConfig:
service:
namespace: external-secrets
name: external-secrets-webhook
path: /validate-external-secrets-io-v1-secretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
failurePolicy: Fail
- name: "validate.clustersecretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["clustersecretstores"]
scope: "Cluster"
clientConfig:
service:
namespace: external-secrets
name: external-secrets-webhook
path: /validate-external-secrets-io-v1-clustersecretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: externalsecret-validate
labels:
app.kubernetes.io/name: external-secrets-webhook
app.kubernetes.io/instance: external-secrets
app.kubernetes.io/version: "v2.2.0"
app.kubernetes.io/managed-by: kustomize
external-secrets.io/component: webhook
webhooks:
- name: "validate.externalsecret.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["externalsecrets"]
scope: "Namespaced"
clientConfig:
service:
namespace: external-secrets
name: external-secrets-webhook
path: /validate-external-secrets-io-v1-externalsecret
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
failurePolicy: Fail

1
docs/changelog.d/upgrade-external-secrets-v2.infra.md Normal file
View file

@ -0,0 +1 @@
Upgrade External Secrets Operator from v1.3.2 to v2.2.0 and migrate from Helm chart to static kustomize manifests.

6
service-versions.yaml
View file

@ -126,10 +126,10 @@ services:
- name: external-secrets
type: argocd
last-reviewed: 2026-02-17
current-version: "helm-chart-2.0.0"
last-reviewed: 2026-03-25
current-version: "v2.2.0"
upstream-source: https://github.com/external-secrets/external-secrets/releases
notes: Deployed via Helm chart (operator v1.3.2)
notes: Static kustomize manifests rendered from upstream Helm chart
- name: 1password-connect
type: argocd