Image: ghcr.io/external-secrets/external-secrets:v0.16.1
Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi-boringssl

What's Changed

• chore: bump helm to 0.16.0 by @gusfcarvalho in #4660
• fix: remove crds from bundle by @gusfcarvalho in #4664
• fix: applying several pipeline fixes by @gusfcarvalho in #4667
• fix: pipeline permissions by @gusfcarvalho in #4669
• fix: publish permissions by @gusfcarvalho in #4670
• fix: prevent is-fork by @gusfcarvalho in #4671
• fix: publish workflow by @gusfcarvalho in #4672
• fix: conversion setting on bundle crds by @gusfcarvalho in #4673
• fix: remove the conversion hook completely by @Skarlso in #4675

Full Changelog: v0.16.0...v0.16.1

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@=="valpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed.
Double check your CRD installation process finished successfully