Localize external-secrets container (native container.py build) #367

Merged

eblume merged 2 commits from local-external-secrets into main 2026-06-04 14:55:59 -07:00

Conversation 0 Commits 2 Files changed 4 +59 -3

eblume commented 2026-06-04 14:51:39 -07:00

Owner

Copy link

Knocks out the weekly "pick one non-local container and make it local" task by moving external-secrets off ghcr.io onto a locally-built image, under our own supply-chain control. Doubles as its overdue service review.

What changed

• containers/external-secrets/container.py (new) — native Dagger build (the Dockerfile→container.py migration pattern). Clones the forge mirror at v2.2.0 and builds the single all_providers static Go binary, faithful to upstream's make build (CGO off, no version ldflags upstream). ENTRYPOINT is /bin/external-secrets so the controller/webhook/cert-controller Deployments select their role via args: exactly as before.
• argocd/manifests/external-secrets/kustomization.yaml — image swapped to registry.ops.eblu.me/blumeops/external-secrets:v2.2.0-2985007. Like-for-like (v2.2.0), not an upgrade.
• service-versions.yaml — marked reviewed (2026-06-04), noted the local build.

Build

Built on the indri forge runner (run #579, ~4 min) → pushed to Zot. Image config verified: Entrypoint=/bin/external-secrets, User=65534, version label v2.2.0.

Deployed from branch & verified

• All 3 pods (controller / webhook / cert-controller) rolled to the local image, 1/1 Running
• Controller + webhook logs clean (no errors; webhook serving TLS)
• End-to-end secret fetch proven: force-synced monitoring/grafana-admin → refreshTime advanced to now, Ready=True
• All 10 ExternalSecrets cluster-wide remain SecretSynced=True — no collateral damage
• App Healthy

Post-merge

external-secrets currently points at this branch (so apps reads OutOfSync — expected). After merge:

argocd app set external-secrets --revision main && argocd app sync external-secrets

🤖 Generated with Claude Code

Knocks out the weekly "pick one non-local container and make it local" task by moving **external-secrets** off `ghcr.io` onto a locally-built image, under our own supply-chain control. Doubles as its overdue service review. ## What changed - **`containers/external-secrets/container.py`** (new) — native Dagger build (the Dockerfile→container.py migration pattern). Clones the forge mirror at `v2.2.0` and builds the single `all_providers` static Go binary, faithful to upstream's `make build` (CGO off, no version ldflags upstream). ENTRYPOINT is `/bin/external-secrets` so the controller/webhook/cert-controller Deployments select their role via `args:` exactly as before. - **`argocd/manifests/external-secrets/kustomization.yaml`** — image swapped to `registry.ops.eblu.me/blumeops/external-secrets:v2.2.0-2985007`. **Like-for-like (v2.2.0)**, not an upgrade. - **`service-versions.yaml`** — marked reviewed (2026-06-04), noted the local build. ## Build Built on the indri forge runner (run #579, ~4 min) → pushed to Zot. Image config verified: `Entrypoint=/bin/external-secrets`, `User=65534`, version label `v2.2.0`. ## Deployed from branch & verified - All 3 pods (controller / webhook / cert-controller) rolled to the local image, `1/1 Running` - Controller + webhook logs clean (no errors; webhook serving TLS) - **End-to-end secret fetch proven:** force-synced `monitoring/grafana-admin` → `refreshTime` advanced to now, `Ready=True` - All 10 ExternalSecrets cluster-wide remain `SecretSynced=True` — no collateral damage - App `Healthy` ## Post-merge `external-secrets` currently points at this branch (so `apps` reads OutOfSync — expected). After merge: ``` argocd app set external-secrets --revision main && argocd app sync external-secrets ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 2 commits 2026-06-04 14:51:42 -07:00

Add native Dagger build for external-secrets (container.py) ... 2985007430

Localizes external-secrets off ghcr.io: clones the forge mirror at v2.2.0
and builds the single all_providers static Go binary, faithful to upstream's
`make build`. ENTRYPOINT is the binary so the controller/webhook/cert-controller
Deployments can select their role via args.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Deploy external-secrets from local registry image ... adc24358f4

Swap the controller/webhook/cert-controller image from ghcr.io to the locally
built registry.ops.eblu.me/blumeops/external-secrets:v2.2.0-2985007. Like-for-like
(v2.2.0); mark service reviewed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume merged commit 0e70a1b524 into main 2026-06-04 14:55:59 -07:00

eblume referenced this pull request from a commit 2026-06-04 14:55:59 -07:00

Localize external-secrets container (native container.py build) (#367)

eblume referenced this pull request 2026-06-04 15:24:58 -07:00

Localize external-secrets on ringtail (amd64 nix build) #368

eblume referenced this pull request from a commit 2026-06-04 15:37:44 -07:00

Localize external-secrets on ringtail (amd64 nix build) (#368)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!367

No description provided.