What's Changed
This release was a lot of work. Thank you to everyone who provided contributions and tested the changes! :)
Reconciliation on Docker events
The reconciliation logic has been completely rewritten and now triggers on events from the Docker daemon (like a removed service or unhealthy container) to start the reconciliation process instead of checking on an interval if reconciliation is needed.
Configuration options and further information can be found in the documentation.
Image Digest get fetched with HEAD requests
Doco-CD now fetches image digests from container registries using HEAD requests to avoid rate limits with a fallback to the previous GET request logic.
This is useful for registries like DockerHub, where all GET requests against the registry count as an image pull, even if they don't download any image layers.
New 1Password Connect provider
This release adds support for using a 1Password Connect Server as a external secrets provider.
A 1Password Connect server is a self-hosted proxy that caches vault data locally and serves secrets over a simple HTTP API. This is useful when you are deploying frequently or have multiple instances that would otherwise hit 1Password API rate limits.
See the docs for setup and usage: https://doco.cd/latest/External-Secrets/1Password-Connect/
Tip
For 1Password Users
For improved performance and to avoid API rate limits in high-volume deployments, consider using 1Password Connect instead of service account authentication (The 1Password provider).
1Password provider: Client-Side Caching
The 1Password provider now supports client-side caching to reduce API calls to the 1Password cloud.
Enable and configure caching with the following environment variables:
| Key | Value | Default |
|---|---|---|
SECRET_PROVIDER_CACHE_ENABLED
| Enables in-memory caching for resolved secrets | false
|
SECRET_PROVIDER_CACHE_TTL
| Cache TTL for resolved secrets as a Go duration string (for example: 30s, 5m, 1h)
| 5m
|
SECRET_PROVIDER_CACHE_MAX_SIZE
| Maximum number of secrets stored in cache before least-recently-used entries are evicted | 100
|
Warning
If the cache TTL is too long, secrets may become outdated.
✨ Features
- feat(external-secrets): add client-side caching for 1Password secrets by @kimdre in #1286
- feat(external-secrets): add support for 1Password Connect Server by @kimdre in #1287
- feat: trigger reconciliation on Docker daemon events by @kimdre in #1268
🌟 Improvements
- feat: graceful shutdown by @qianlongzt in #1270
- fix: enhance GitHub release fetching by @kimdre in #1280
- feat(docker): lookup registry image digest via HEAD by @kimdre in #1294
- fix(external-secrets): resolve secrets in 1password connect provider concurrently by @kimdre in #1298
- fix(reconciliation): change default trigger events for reconciliation by @kimdre in #1300
📦 Dependencies
- chore(deps): update dependency zensical to v0.0.37 by @renovate[bot] in #1273
- chore(deps): update dependency zensical to v0.0.38 by @renovate[bot] in #1277
- fix(deps): update aws-sdk-go-v2 monorepo by @renovate[bot] in #1279
- fix(deps): update module github.com/docker/cli to v29.4.2+incompatible by @renovate[bot] in #1281
- chore(deps): update github/codeql-action digest to e46ed2c by @renovate[bot] in #1289
- chore(deps): pin dependencies by @renovate[bot] in #1288
- fix(deps): update module github.com/caarlos0/env/v11 to v11.4.1 by @renovate[bot] in #1291
- chore(deps): update dependency zensical to v0.0.39 by @renovate[bot] in #1290
- chore(deps): update module github.com/bombsimon/wsl/v5 to v5.8.0 by @renovate[bot] in #1292
- chore(deps): pin actions/add-to-project action to 244f685 by @renovate[bot] in #1299
📚 Miscellaneous
- docs: fix sitemap for latest symlink by @kimdre in #1272
- fix: docs CI pipeline by @kimdre in #1274
- docs: update Apprise documentation links by @kimdre in #1276
- docs: fix broken links and improve formatting by @kimdre in #1278
Full Changelog: v0.83.0...v0.84.0