Upgrade External Secrets Operator v2.2.0 + migrate Helm to kustomize

Replace the Helm chart deployment with static kustomize manifests rendered
from upstream chart v2.2.0. This aligns ESO with the repo's kustomize-first
pattern and simplifies upgrades. Merges the separate -config apps into the
main app, reducing from 6 to 4 ArgoCD applications.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

argocd/apps/external-secrets-config-ringtail.yaml

@@ -1,24 +0,0 @@
-# External Secrets Configuration for ringtail k3s cluster
-# Same ClusterSecretStore manifests as indri, different destination
-#
-# Prerequisites:
-# - 1password-connect-ringtail is deployed and healthy
-# - external-secrets-ringtail operator is deployed and CRDs are installed
-#
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-secrets-config-ringtail
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-    targetRevision: main
-    path: argocd/manifests/external-secrets
-  destination:
-    server: https://ringtail.tail8d86e.ts.net:6443
-    namespace: external-secrets
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/apps/external-secrets-config.yaml

@@ -1,26 +0,0 @@
-# External Secrets Configuration - ClusterSecretStore for 1Password
-#
-# Deploys the ClusterSecretStore that connects ESO to 1Password Connect.
-# Must be synced AFTER external-secrets operator is running.
-#
-# Prerequisites:
-# - 1password-connect is deployed and healthy
-# - external-secrets operator is deployed and CRDs are installed
-#
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-secrets-config
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-    targetRevision: main
-    path: argocd/manifests/external-secrets
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: external-secrets
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true

argocd/apps/external-secrets-crds-ringtail.yaml

@@ -12,7 +12,7 @@ spec:
   project: default
   source:
     repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
-    targetRevision: helm-chart-2.0.0
+    targetRevision: helm-chart-2.2.0
     path: config/crds/bases
     directory:
       exclude: 'kustomization.yaml'

argocd/apps/external-secrets-crds.yaml

@@ -16,7 +16,7 @@ spec:
   project: default
   source:
     repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
-    targetRevision: helm-chart-2.0.0
+    targetRevision: helm-chart-2.2.0
     path: config/crds/bases
     directory:
       exclude: 'kustomization.yaml'

argocd/apps/external-secrets-ringtail.yaml

@@ -1,5 +1,5 @@
 # External Secrets Operator for ringtail k3s cluster
-# Same chart/values as indri, different destination
+# Same manifests as indri, different destination
 #
 # Prerequisites:
 # - 1password-connect-ringtail must be deployed and healthy
@@ -12,17 +12,10 @@ metadata:
   namespace: argocd
 spec:
   project: default
-  sources:
+  source:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-      targetRevision: helm-chart-2.0.0
+    targetRevision: main
-      path: deploy/charts/external-secrets
+    path: argocd/manifests/external-secrets
-      helm:
-        releaseName: external-secrets
-        valueFiles:
-          - $values/argocd/manifests/external-secrets/values.yaml
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-      targetRevision: main
-      ref: values
   destination:
     server: https://ringtail.tail8d86e.ts.net:6443
     namespace: external-secrets

argocd/apps/external-secrets.yaml

@@ -1,10 +1,12 @@
 # External Secrets Operator - Kubernetes secret sync from external providers
 # Syncs secrets from 1Password Connect to native Kubernetes Secrets
 #
-# Chart mirrored from https://github.com/external-secrets/external-secrets
+# Static manifests rendered from upstream Helm chart v2.2.0
+# Upstream: https://github.com/external-secrets/external-secrets
 #
 # Prerequisites:
 # - 1password-connect must be deployed and healthy
+# - external-secrets-crds must be synced first
 #
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -13,17 +15,10 @@ metadata:
   namespace: argocd
 spec:
   project: default
-  sources:
+  source:
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/mirrors/external-secrets.git
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-      targetRevision: helm-chart-2.0.0
+    targetRevision: main
-      path: deploy/charts/external-secrets
+    path: argocd/manifests/external-secrets
-      helm:
-        releaseName: external-secrets
-        valueFiles:
-          - $values/argocd/manifests/external-secrets/values.yaml
-    - repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
-      targetRevision: main
-      ref: values
   destination:
     server: https://kubernetes.default.svc
     namespace: external-secrets

argocd/manifests/external-secrets/README.md

@@ -35,7 +35,7 @@ kubectl --context=minikube-indri get externalsecret -A
 To sync a secret from 1Password, create an ExternalSecret in the target namespace:
 
 ```yaml
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: my-secret

argocd/manifests/external-secrets/deployment.yaml

@@ -0,0 +1,218 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-secrets-cert-controller
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-cert-controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-cert-controller
+      app.kubernetes.io/instance: external-secrets
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: external-secrets-cert-controller
+        app.kubernetes.io/instance: external-secrets
+        app.kubernetes.io/version: "v2.2.0"
+        app.kubernetes.io/managed-by: kustomize
+    spec:
+      serviceAccountName: external-secrets-cert-controller
+      automountServiceAccountToken: true
+      hostNetwork: false
+      containers:
+        - name: cert-controller
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          image: ghcr.io/external-secrets/external-secrets:kustomized
+          imagePullPolicy: IfNotPresent
+          args:
+            - certcontroller
+            - --crd-requeue-interval=5m
+            - --service-name=external-secrets-webhook
+            - --service-namespace=external-secrets
+            - --secret-name=external-secrets-webhook
+            - --secret-namespace=external-secrets
+            - --metrics-addr=:8080
+            - --healthz-addr=:8081
+            - --loglevel=info
+            - --zap-time-encoding=epoch
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: metrics
+            - containerPort: 8081
+              protocol: TCP
+              name: ready
+          readinessProbe:
+            httpGet:
+              port: ready
+              path: /readyz
+            initialDelaySeconds: 20
+            periodSeconds: 5
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 25m
+              memory: 32Mi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets
+      app.kubernetes.io/instance: external-secrets
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: external-secrets
+        app.kubernetes.io/instance: external-secrets
+        app.kubernetes.io/version: "v2.2.0"
+        app.kubernetes.io/managed-by: kustomize
+    spec:
+      serviceAccountName: external-secrets
+      automountServiceAccountToken: true
+      hostNetwork: false
+      containers:
+        - name: external-secrets
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          image: ghcr.io/external-secrets/external-secrets:kustomized
+          imagePullPolicy: IfNotPresent
+          args:
+            - --concurrent=1
+            - --metrics-addr=:8080
+            - --loglevel=info
+            - --zap-time-encoding=epoch
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: metrics
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+      dnsPolicy: ClusterFirst
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-secrets-webhook
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-webhook
+      app.kubernetes.io/instance: external-secrets
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: external-secrets-webhook
+        app.kubernetes.io/instance: external-secrets
+        app.kubernetes.io/version: "v2.2.0"
+        app.kubernetes.io/managed-by: kustomize
+    spec:
+      hostNetwork: false
+      serviceAccountName: external-secrets-webhook
+      automountServiceAccountToken: true
+      containers:
+        - name: webhook
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          image: ghcr.io/external-secrets/external-secrets:kustomized
+          imagePullPolicy: IfNotPresent
+          args:
+            - webhook
+            - --port=10250
+            - --dns-name=external-secrets-webhook.external-secrets.svc
+            - --cert-dir=/tmp/certs
+            - --check-interval=5m
+            - --metrics-addr=:8080
+            - --healthz-addr=:8081
+            - --loglevel=info
+            - --zap-time-encoding=epoch
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: metrics
+            - containerPort: 10250
+              protocol: TCP
+              name: webhook
+            - containerPort: 8081
+              protocol: TCP
+              name: ready
+          readinessProbe:
+            httpGet:
+              port: ready
+              path: /readyz
+            initialDelaySeconds: 20
+            periodSeconds: 5
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 25m
+              memory: 32Mi
+          volumeMounts:
+            - name: certs
+              mountPath: /tmp/certs
+              readOnly: true
+      volumes:
+        - name: certs
+          secret:
+            secretName: external-secrets-webhook

argocd/manifests/external-secrets/kustomization.yaml

@@ -1,5 +1,15 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - serviceaccount.yaml
+  - rbac.yaml
+  - service.yaml
+  - webhook.yaml
+  - deployment.yaml
   - cluster-secret-store.yaml
+
+images:
+  - name: ghcr.io/external-secrets/external-secrets
+    newTag: v2.2.0

argocd/manifests/external-secrets/rbac.yaml

@@ -0,0 +1,445 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-cert-controller
+  labels:
+    app.kubernetes.io/name: external-secrets-cert-controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+rules:
+  - apiGroups:
+      - "apiextensions.k8s.io"
+    resources:
+      - "customresourcedefinitions"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "update"
+      - "patch"
+  - apiGroups:
+      - "admissionregistration.k8s.io"
+    resources:
+      - "validatingwebhookconfigurations"
+    verbs:
+      - "list"
+      - "watch"
+      - "get"
+  - apiGroups:
+      - "admissionregistration.k8s.io"
+    resources:
+      - "validatingwebhookconfigurations"
+    resourceNames:
+      - "secretstore-validate"
+      - "externalsecret-validate"
+    verbs:
+      - "update"
+      - "patch"
+  - apiGroups:
+      - ""
+    resources:
+      - "endpoints"
+    verbs:
+      - "list"
+      - "get"
+      - "watch"
+  - apiGroups:
+      - "discovery.k8s.io"
+    resources:
+      - "endpointslices"
+    verbs:
+      - "list"
+      - "get"
+      - "watch"
+  - apiGroups:
+      - ""
+    resources:
+      - "events"
+    verbs:
+      - "create"
+      - "patch"
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "update"
+      - "patch"
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - "leases"
+    verbs:
+      - "get"
+      - "create"
+      - "update"
+      - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-controller
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+rules:
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "secretstores"
+      - "clustersecretstores"
+      - "externalsecrets"
+      - "clusterexternalsecrets"
+      - "pushsecrets"
+      - "clusterpushsecrets"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "externalsecrets"
+      - "externalsecrets/status"
+      - "externalsecrets/finalizers"
+      - "secretstores"
+      - "secretstores/status"
+      - "secretstores/finalizers"
+      - "clustersecretstores"
+      - "clustersecretstores/status"
+      - "clustersecretstores/finalizers"
+      - "clusterexternalsecrets"
+      - "clusterexternalsecrets/status"
+      - "clusterexternalsecrets/finalizers"
+      - "pushsecrets"
+      - "pushsecrets/status"
+      - "pushsecrets/finalizers"
+      - "clusterpushsecrets"
+      - "clusterpushsecrets/status"
+      - "clusterpushsecrets/finalizers"
+    verbs:
+      - "get"
+      - "update"
+      - "patch"
+  - apiGroups:
+      - "generators.external-secrets.io"
+    resources:
+      - "generatorstates"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+      - "update"
+      - "patch"
+      - "delete"
+      - "deletecollection"
+  - apiGroups:
+      - "generators.external-secrets.io"
+    resources:
+      - "acraccesstokens"
+      - "cloudsmithaccesstokens"
+      - "clustergenerators"
+      - "ecrauthorizationtokens"
+      - "fakes"
+      - "gcraccesstokens"
+      - "githubaccesstokens"
+      - "quayaccesstokens"
+      - "passwords"
+      - "sshkeys"
+      - "stssessiontokens"
+      - "uuids"
+      - "vaultdynamicsecrets"
+      - "webhooks"
+      - "grafanas"
+      - "mfas"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+      - ""
+    resources:
+      - "serviceaccounts"
+      - "namespaces"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+      - ""
+    resources:
+      - "namespaces"
+    verbs:
+      - "update"
+      - "patch"
+  - apiGroups:
+      - ""
+    resources:
+      - "configmaps"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+      - "create"
+      - "update"
+      - "delete"
+      - "patch"
+  - apiGroups:
+      - ""
+    resources:
+      - "serviceaccounts/token"
+    verbs:
+      - "create"
+  - apiGroups:
+      - ""
+    resources:
+      - "events"
+    verbs:
+      - "create"
+      - "patch"
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "externalsecrets"
+    verbs:
+      - "create"
+      - "update"
+      - "delete"
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "pushsecrets"
+    verbs:
+      - "create"
+      - "update"
+      - "delete"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-view
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "externalsecrets"
+      - "secretstores"
+      - "clustersecretstores"
+      - "pushsecrets"
+      - "clusterpushsecrets"
+    verbs:
+      - "get"
+      - "watch"
+      - "list"
+  - apiGroups:
+      - "generators.external-secrets.io"
+    resources:
+      - "acraccesstokens"
+      - "cloudsmithaccesstokens"
+      - "clustergenerators"
+      - "ecrauthorizationtokens"
+      - "fakes"
+      - "gcraccesstokens"
+      - "githubaccesstokens"
+      - "quayaccesstokens"
+      - "passwords"
+      - "sshkeys"
+      - "vaultdynamicsecrets"
+      - "webhooks"
+      - "grafanas"
+      - "generatorstates"
+      - "mfas"
+      - "uuids"
+    verbs:
+      - "get"
+      - "watch"
+      - "list"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-edit
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "externalsecrets"
+      - "secretstores"
+      - "clustersecretstores"
+      - "pushsecrets"
+      - "clusterpushsecrets"
+    verbs:
+      - "create"
+      - "delete"
+      - "deletecollection"
+      - "patch"
+      - "update"
+  - apiGroups:
+      - "generators.external-secrets.io"
+    resources:
+      - "acraccesstokens"
+      - "cloudsmithaccesstokens"
+      - "clustergenerators"
+      - "ecrauthorizationtokens"
+      - "fakes"
+      - "gcraccesstokens"
+      - "githubaccesstokens"
+      - "quayaccesstokens"
+      - "passwords"
+      - "sshkeys"
+      - "vaultdynamicsecrets"
+      - "webhooks"
+      - "grafanas"
+      - "generatorstates"
+      - "mfas"
+      - "uuids"
+    verbs:
+      - "create"
+      - "delete"
+      - "deletecollection"
+      - "patch"
+      - "update"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-secrets-servicebindings
+  labels:
+    servicebinding.io/controller: "true"
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+rules:
+  - apiGroups:
+      - "external-secrets.io"
+    resources:
+      - "externalsecrets"
+      - "pushsecrets"
+    verbs:
+      - "get"
+      - "list"
+      - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-secrets-cert-controller
+  labels:
+    app.kubernetes.io/name: external-secrets-cert-controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-cert-controller
+subjects:
+  - name: external-secrets-cert-controller
+    namespace: external-secrets
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-secrets-controller
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-controller
+subjects:
+  - name: external-secrets
+    namespace: external-secrets
+    kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: external-secrets-leaderelection
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "configmaps"
+    resourceNames:
+      - "external-secrets-controller"
+    verbs:
+      - "get"
+      - "update"
+      - "patch"
+  - apiGroups:
+      - ""
+    resources:
+      - "configmaps"
+    verbs:
+      - "create"
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - "leases"
+    verbs:
+      - "get"
+      - "create"
+      - "update"
+      - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: external-secrets-leaderelection
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: external-secrets-leaderelection
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets

argocd/manifests/external-secrets/service.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-secrets-webhook
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+    external-secrets.io/component: webhook
+spec:
+  type: ClusterIP
+  ports:
+    - port: 443
+      targetPort: webhook
+      protocol: TCP
+      name: webhook
+  selector:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets

argocd/manifests/external-secrets/serviceaccount.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-secrets-cert-controller
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-cert-controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-secrets
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-secrets-webhook
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize

argocd/manifests/external-secrets/values.yaml

@@ -1,31 +0,0 @@
-# External Secrets Operator Helm values for blumeops
-# Chart: https://github.com/external-secrets/external-secrets
-
-installCRDs: true
-
-# Resource limits for minikube
-resources:
-  requests:
-    memory: "64Mi"
-    cpu: "50m"
-  limits:
-    memory: "256Mi"
-    cpu: "200m"
-
-webhook:
-  resources:
-    requests:
-      memory: "32Mi"
-      cpu: "25m"
-    limits:
-      memory: "128Mi"
-      cpu: "100m"
-
-certController:
-  resources:
-    requests:
-      memory: "32Mi"
-      cpu: "25m"
-    limits:
-      memory: "128Mi"
-      cpu: "100m"

argocd/manifests/external-secrets/webhook.yaml

@@ -0,0 +1,83 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: external-secrets-webhook
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+    external-secrets.io/component: webhook
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: secretstore-validate
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+    external-secrets.io/component: webhook
+webhooks:
+  - name: "validate.secretstore.external-secrets.io"
+    rules:
+      - apiGroups: ["external-secrets.io"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE", "DELETE"]
+        resources: ["secretstores"]
+        scope: "Namespaced"
+    clientConfig:
+      service:
+        namespace: external-secrets
+        name: external-secrets-webhook
+        path: /validate-external-secrets-io-v1-secretstore
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    timeoutSeconds: 5
+    failurePolicy: Fail
+  - name: "validate.clustersecretstore.external-secrets.io"
+    rules:
+      - apiGroups: ["external-secrets.io"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE", "DELETE"]
+        resources: ["clustersecretstores"]
+        scope: "Cluster"
+    clientConfig:
+      service:
+        namespace: external-secrets
+        name: external-secrets-webhook
+        path: /validate-external-secrets-io-v1-clustersecretstore
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    timeoutSeconds: 5
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: externalsecret-validate
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v2.2.0"
+    app.kubernetes.io/managed-by: kustomize
+    external-secrets.io/component: webhook
+webhooks:
+  - name: "validate.externalsecret.external-secrets.io"
+    rules:
+      - apiGroups: ["external-secrets.io"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE", "DELETE"]
+        resources: ["externalsecrets"]
+        scope: "Namespaced"
+    clientConfig:
+      service:
+        namespace: external-secrets
+        name: external-secrets-webhook
+        path: /validate-external-secrets-io-v1-externalsecret
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    timeoutSeconds: 5
+    failurePolicy: Fail

docs/changelog.d/upgrade-external-secrets-v2.infra.md

@@ -0,0 +1 @@
+Upgrade External Secrets Operator from v1.3.2 to v2.2.0 and migrate from Helm chart to static kustomize manifests.

service-versions.yaml

@@ -126,10 +126,10 @@ services:
 
   - name: external-secrets
     type: argocd
-    last-reviewed: 2026-02-17
+    last-reviewed: 2026-03-25
-    current-version: "helm-chart-2.0.0"
+    current-version: "v2.2.0"
     upstream-source: https://github.com/external-secrets/external-secrets/releases
-    notes: Deployed via Helm chart (operator v1.3.2)
+    notes: Static kustomize manifests rendered from upstream Helm chart
 
   - name: 1password-connect
     type: argocd