Deploy external-secrets from local registry image

Swap the controller/webhook/cert-controller image from ghcr.io to the locally built registry.ops.eblu.me/blumeops/external-secrets:v2.2.0-2985007. Like-for-like (v2.2.0); mark service reviewed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 14:48:08 -07:00 · 2026-06-04 14:48:08 -07:00 · adc24358f4
commit adc24358f4
parent 2985007430
3 changed files with 8 additions and 3 deletions
--- a/argocd/manifests/external-secrets/kustomization.yaml
+++ b/argocd/manifests/external-secrets/kustomization.yaml
@ -12,4 +12,5 @@ resources:
 images:
  - name: ghcr.io/external-secrets/external-secrets
-    newTag: v2.2.0
+    newName: registry.ops.eblu.me/blumeops/external-secrets
    newTag: v2.2.0-2985007
--- a/docs/changelog.d/local-external-secrets.infra.md
+++ b/docs/changelog.d/local-external-secrets.infra.md
@ -0,0 +1 @@
 Localized the external-secrets controller image. It now builds from the forge mirror via a native Dagger `container.py` (single `all_providers` static Go binary, faithful to upstream's `make build`) and is served from `registry.ops.eblu.me/blumeops/external-secrets` instead of `ghcr.io`, bringing another platform component under local supply-chain control.
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -159,10 +159,13 @@ services:
  - name: external-secrets
    type: argocd
-    last-reviewed: 2026-03-25
+    last-reviewed: 2026-06-04
    current-version: "v2.2.0"
    upstream-source: https://github.com/external-secrets/external-secrets/releases
-    notes: Static kustomize manifests rendered from upstream Helm chart
+    notes: >-
      Static kustomize manifests rendered from upstream Helm chart. Controller
      image is locally built from the forge mirror via containers/external-secrets/container.py
      (single all_providers static Go binary).
  - name: 1password-connect
    type: argocd
		`@ -0,0 +1 @@`
							Localized the external-secrets controller image. It now builds from the forge mirror via a native Dagger `container.py` (single `all_providers` static Go binary, faithful to upstream's `make build`) and is served from `registry.ops.eblu.me/blumeops/external-secrets` instead of `ghcr.io`, bringing another platform component under local supply-chain control.