2026-06-04 14:55:59 -07:00
4 changed files with 59 additions and 3 deletions
--- a/argocd/manifests/external-secrets/kustomization.yaml
+++ b/argocd/manifests/external-secrets/kustomization.yaml
@ -12,4 +12,5 @@ resources:
 images:
  - name: ghcr.io/external-secrets/external-secrets
-    newTag: v2.2.0
+    newName: registry.ops.eblu.me/blumeops/external-secrets
    newTag: v2.2.0-2985007
--- a/containers/external-secrets/container.py
+++ b/containers/external-secrets/container.py
@ -0,0 +1,51 @@
 """External Secrets Operator — native Dagger build.
 Two-stage build: Go binary (all providers), Alpine runtime.
 Source cloned from forge mirror.
 A single binary serves as the controller, webhook, and cert-controller; the
 Deployments select the role via a subcommand passed in `args:`, so the image
 ENTRYPOINT must be the binary itself (matching upstream's distroless image).
 """
 import dagger
 from blumeops.containers import (
    alpine_runtime,
    clone_from_forge,
    go_build,
    oci_labels,
 )
 VERSION = "v2.2.0"
 async def build(src: dagger.Directory) -> dagger.Container:
    source = clone_from_forge("external-secrets", VERSION)
    # Upstream `make build` compiles every secret provider into a single
    # static binary (`-tags all_providers`, CGO disabled). Mirror that so the
    # local image is functionally identical to ghcr.io/.../external-secrets.
    backend = go_build(
        source,
        "/external-secrets",
        tags="all_providers",
    )
    runtime = alpine_runtime(
        extra_apk=["ca-certificates"],
        create_user=False,
    )
    runtime = oci_labels(
        runtime,
        title="External Secrets Operator",
        description=(
            "Kubernetes operator that integrates external secret management systems"
        ),
        version=VERSION,
    )
    return (
        runtime.with_file("/bin/external-secrets", backend.file("/external-secrets"))
        .with_user("65534")
        .with_entrypoint(["/bin/external-secrets"])
    )
--- a/docs/changelog.d/local-external-secrets.infra.md
+++ b/docs/changelog.d/local-external-secrets.infra.md
@ -0,0 +1 @@
 Localized the external-secrets controller image. It now builds from the forge mirror via a native Dagger `container.py` (single `all_providers` static Go binary, faithful to upstream's `make build`) and is served from `registry.ops.eblu.me/blumeops/external-secrets` instead of `ghcr.io`, bringing another platform component under local supply-chain control.
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -159,10 +159,13 @@ services:
  - name: external-secrets
    type: argocd
-    last-reviewed: 2026-03-25
+    last-reviewed: 2026-06-04
    current-version: "v2.2.0"
    upstream-source: https://github.com/external-secrets/external-secrets/releases
-    notes: Static kustomize manifests rendered from upstream Helm chart
+    notes: >-
      Static kustomize manifests rendered from upstream Helm chart. Controller
      image is locally built from the forge mirror via containers/external-secrets/container.py
      (single all_providers static Go binary).
  - name: 1password-connect
    type: argocd
		`@ -0,0 +1 @@`
							Localized the external-secrets controller image. It now builds from the forge mirror via a native Dagger `container.py` (single `all_providers` static Go binary, faithful to upstream's `make build`) and is served from `registry.ops.eblu.me/blumeops/external-secrets` instead of `ghcr.io`, bringing another platform component under local supply-chain control.