Kubernetes API load and significant decrease
A new way of reconciling external secrets has been added with pull request #4086.
This significantly reduces the number of API calls that we make to the kubernetes API server.
- Memory usage might increase if you are not already using
--enable-secrets-caching- If you are using
--enable-secrets-cachingand want to decrease memory usage at the expense of slightly higher API usage, you can disable it and only enable--enable-managed-secrets-caching(which is the new default)
- If you are using
- In ALL cases (even when CreationPolicy is Merge), if a data key in the target Secret was created by the ExternalSecret, and it no longer exists in the template (or data/dataFrom), it will be removed from the target secret:
- This might cause some peoples secrets to be "cleaned of data keys" when updating to 0.11.
- Previously, the behaviour was undefined, and confusing because it was sort of broken when the template feature was added.
- The one exception is that ALL the data suddenly becomes empty and the DeletionPolicy is retain, in which case we will not even report and error, just change the SecretSynced message to explain that the secret was retained.
- When CreationPolicy is Owner, we now will NEVER retain any keys and fully calculate the "desired state" of the target secret each loop:
- This means that some peoples secrets might have keys removed when updating to 0.11.
Generators and ClusterGenerator
We added ClusterGenerators and Generator caching as well. This might create some problems in the way generators are defined now.
CRD Admission Restrictions
All of the CRDs now have proper kubebuilder markers for validation. This might surprise someone leaving out some data that was essentially actually required or expected in a certain format. This is now validated in #4104.
Images
Image: ghcr.io/external-secrets/external-secrets:v0.11.0
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.11.0-ubi-boringssl
What's Changed
- chore: bump version v0.10.7 by @Skarlso in #4141
- feat: significantly reduce api calls and introduce partial secret cache by @thesuperzapper in #4086
- chore(deps): bump mkdocs-material from 9.5.44 to 9.5.45 in /hack/api-docs by @dependabot in #4143
- chore(deps): bump tornado from 6.4.1 to 6.4.2 in /hack/api-docs by @dependabot in #4144
- chore(deps): bump codecov/codecov-action from 5.0.2 to 5.0.7 by @dependabot in #4145
- chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 by @dependabot in #4146
- chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5 by @dependabot in #4147
- chore: update dependencies by @eso-service-account-app in #4148
- fix: gitlab empty response by @Skarlso in #4152
- feat: add ability to push expiration date to secret in azure key vault by @deggja in #4149
- feat: implement a cluster-wide generator by @Skarlso in #4140
- feat: Add API key auth support on BeyondTrust provider by @dtejadav in #4101
- Add support for multiple Items fields in DelineSecretServer secrets by @ronaldosaheki in #4051
- chore: deprecation policy and deprecating process by @gusfcarvalho in #4154
- fix: use cache when retrieving generators by @thesuperzapper in #4153
- fix: e2e test for AWS not setting name and namespace by @Skarlso in #4157
- fix: handle managed identity ClientID or ResourceID in acr generator by @bonddim in #4150
- feat: add CRD validation for resource name/key fields by @thesuperzapper in #4104
- fix: issues with generators by @thesuperzapper in #4163
New Contributors
- @thesuperzapper made their first contribution in #4086
- @deggja made their first contribution in #4149
- @dtejadav made their first contribution in #4101
- @ronaldosaheki made their first contribution in #4051
- @bonddim made their first contribution in #4150
Full Changelog: v0.10.7...v0.11.0