fix(deps): update module github.com/external-secrets/external-secrets to v0.10.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/external-secrets/external-secrets	v0.9.11 -> v0.10.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-45041

Details

The external-secrets has a deployment called default-external-secrets-cert-controller, which is bound with a same-name ClusterRole. This ClusterRole has "get/list" verbs of secrets resources(https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L49). It also has path/update verb of validatingwebhookconfigurations resources(https://github.com/external-secrets/external-secrets/blob/main/deploy/charts/external-secrets/templates/cert-controller-rbac.yaml#L27). As a result, if a malicious user can access the worker node which has this deployment. he/she can:

1. For the "get/list secrets" permission, he/she can abuse the SA token of this deployment to retrieve or get ALL secrets in the whole cluster, including the cluster-admin secret if created. After that, he/she can abuse the cluster-admin secret to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation.

2. For the patch/update verb of validatingwebhookconfigurations, the malicious user can abuse these permissions to get sensitive data or lanuch DoS attacks:

For the privilege escalation attack, by updating/patching a Webhook to make it listen to Secret update operations, the attacker can capture and log all data from requests attempting to update Secrets. More specifically, when a Secret is updated, this Webhook sends the request data to the logging-service, which can then log the content of the Secret. This way, an attacker could indirectly gain access to the full contents of the Secret.

For the DoS attack, by updating/patching a Webhook, and making it deny all Pod create and update requests, the attacker can prevent any new Pods from being created or existing Pods from being updated, resulting in a Denial of Service (DoS) attack.

PoC

Please see the "Details" section

Impact

Privilege escalation

---

Release Notes

external-secrets/external-secrets (github.com/external-secrets/external-secrets)

v0.10.2

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.10.2
Image: ghcr.io/external-secrets/external-secrets:v0.10.2-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.2-ubi-boringssl

What's Changed

• release: update helm charts to version v0.10.1 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3842
• fix: add watch to validatingwebhookconfigs by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3845

Full Changelog: external-secrets/external-secrets@v0.10.1...v0.10.2

v0.10.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.10.1
Image: ghcr.io/external-secrets/external-secrets:v0.10.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.1-ubi-boringssl

What's Changed

• release: update helm chart to v0.10.0 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3758
• doc: add maintainer of the bitwarden secret manager provider by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3762
• chore(deps): bump mkdocs-material from 9.5.30 to 9.5.31 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3763
• fix: decrypt remote parameter for SecureString type by @​vsantos in https://github.com/external-secrets/external-secrets/pull/3761
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3766
• chore(deps): bump golangci/golangci-lint-action from 6.0.1 to 6.1.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3765
• chore(deps): bump docker/setup-buildx-action from 3.5.0 to 3.6.1 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3764
• feat: add beyondtrust provider by @​btfhernandez in https://github.com/external-secrets/external-secrets/pull/3683
• chore: add minimal policy for fetching parameters from ssm by @​KrisJohnstone in https://github.com/external-secrets/external-secrets/pull/3770
• Add Grafana Labs to ADOPTERS.md by @​Duologic in https://github.com/external-secrets/external-secrets/pull/3787
• chore(deps): bump golang from 1.22.5 to 1.22.6 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3778
• chore(deps): bump pyyaml from 6.0.1 to 6.0.2 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3779
• chore(deps): bump zipp from 3.19.2 to 3.20.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3780
• chore(deps): bump babel from 2.15.0 to 2.16.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3781
• chore(deps): bump golang from 1.22.5-bookworm to 1.22.6-bookworm in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3783
• chore(deps): bump github/codeql-action from 3.25.15 to 3.26.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3784
• chore(deps): bump fossas/fossa-action from 1.3.3 to 1.4.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3785
• chore(deps): bump watchdog from 4.0.1 to 4.0.2 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3782
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3786
• chore: update security best practice by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3794
• feat: add CAProvider to Bitwarden provider by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3699
• fix: run helm.test.update on main branch by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3816
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3815
• chore(deps): bump importlib-resources from 6.4.0 to 6.4.3 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3810
• chore(deps): bump markdown from 3.6 to 3.7 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3811
• Bump helm-docs image version to v1.7.0 in Makefile by @​PrateekKumar1709 in https://github.com/external-secrets/external-secrets/pull/3806
• chore(deps): bump github/codeql-action from 3.26.0 to 3.26.2 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3812
• chore(deps): bump golang from 1.22.6-bookworm to 1.23.0-bookworm in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3813
• chore: update go version of the project to 1.23 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3829
• Use maps package from standard library by @​BooleanCat in https://github.com/external-secrets/external-secrets/pull/3828
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3836
• add the resourceNames(git commit -s) by @​younaman in https://github.com/external-secrets/external-secrets/pull/3822
• chore(deps): bump mkdocs-material from 9.5.31 to 9.5.33 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3830
• chore(deps): bump importlib-metadata from 8.2.0 to 8.4.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3831
• chore(deps): bump paginate from 0.5.6 to 0.5.7 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3832
• chore(deps): bump golang from 1.22.6 to 1.23.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3814
• chore(deps): bump github/codeql-action from 3.26.2 to 3.26.5 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3835
• chore(deps): bump idna from 3.7 to 3.8 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3834
• chore(deps): bump importlib-resources from 6.4.3 to 6.4.4 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3833
• feat: implement GetSecretMap for Bitwarden provider by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3800
• Demonstrate new slices/maps packages by @​BooleanCat in https://github.com/external-secrets/external-secrets/pull/3839

New Contributors

• @​btfhernandez made their first contribution in https://github.com/external-secrets/external-secrets/pull/3683
• @​KrisJohnstone made their first contribution in https://github.com/external-secrets/external-secrets/pull/3770
• @​PrateekKumar1709 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3806
• @​BooleanCat made their first contribution in https://github.com/external-secrets/external-secrets/pull/3828
• @​younaman made their first contribution in https://github.com/external-secrets/external-secrets/pull/3822

Full Changelog: external-secrets/external-secrets@v0.10.0...v0.10.1

v0.10.0

Compare Source

⚠️ :red-alert: BREAKING CHANGE :red-alert: ⚠️

• Webhook Generator
  Webhook generator labels have changed from generators.external-secrets.io/type: webhook to external-secrets.io/type: webhook.

• Webhook Provider
  Webhook provider now can only use secrets that are labeled with external-secrets.io/type: webhook. This enforces explicit setup for webhook secrets by users.

Fixing the issue:

add the label for the secret used by the webhook:

apiVersion: v1
kind: Secret
metadata:
  name: your-secret
  labels:
    external-secrets.io/type: webhook ### <<<<<<<<<<<<< ADD THIS
data:
...

Image: ghcr.io/external-secrets/external-secrets:v0.10.0
Image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.10.0-ubi-boringssl

What's Changed

• chore: bump to 0.9.20 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3660
• chore(deps): bump golang from 1.22.4 to 1.22.5 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3662
• chore(deps): bump distroless/static from 4197211 to ce46866 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3663
• chore(deps): bump docker/setup-buildx-action from 3.3.0 to 3.4.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3665
• chore(deps): bump docker/setup-qemu-action from 3.0.0 to 3.1.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3666
• chore(deps): bump mkdocs-material from 9.5.27 to 9.5.28 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3667
• chore(deps): bump certifi from 2024.6.2 to 2024.7.4 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3668
• chore(deps): bump golang from 1.22.4-bookworm to 1.22.5-bookworm in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3669
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3670
• sets eso-service-account for creating e2e comments by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3678
• use github token for the actions check by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3679
• Add support for Delinea Secret Server by @​pacificcode in https://github.com/external-secrets/external-secrets/pull/3468
• Fix: Only URL encode data being passed to URLs (#​3652) by @​ryanmeans in https://github.com/external-secrets/external-secrets/pull/3674
• Commenting secrets manifest from hashicorp vault integration #​3661 by @​jeffmachado in https://github.com/external-secrets/external-secrets/pull/3680
• docs: Fix namespaceRegexes in full-cluster-secret-store.yaml by @​excalq in https://github.com/external-secrets/external-secrets/pull/3681
• Support for Oracle PushSecret.property #​2911 by @​Aeyk in https://github.com/external-secrets/external-secrets/pull/3577
• support for adding headers in vault provider by @​abhinav1708 in https://github.com/external-secrets/external-secrets/pull/3677
• chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3688
• chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3691
• chore(deps): bump actions/setup-python from 5.1.0 to 5.1.1 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3690
• chore(deps): bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3689
• chore(deps): bump golang from 8c9183f to 8c9183f by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3687
• chore(deps): bump mkdocs-material from 9.5.28 to 9.5.29 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3692
• fix: aws secretmanager's SecretExists returns true for non-existent secrets by @​mintbomb27 in https://github.com/external-secrets/external-secrets/pull/3684
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3693
• Added 2 articles I wrote on AWS secrets injection and ESO templating by @​alinadir44 in https://github.com/external-secrets/external-secrets/pull/3707
• Update docs for namespaceSelectors usage and namespaceSelector deprecation by @​mtougeron in https://github.com/external-secrets/external-secrets/pull/3695
• fix: add namespace to path and route construction by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3632
• chore(deps): bump softprops/action-gh-release from 2.0.6 to 2.0.8 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3708
• chore(deps): bump github/codeql-action from 3.25.12 to 3.25.13 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3709
• Update bitwarden-secrets-manager.md by @​zazathomas in https://github.com/external-secrets/external-secrets/pull/3710
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3711
• feat: add PushSecret support for Pulumi ESC by @​dirien in https://github.com/external-secrets/external-secrets/pull/3597
• remove redundant parameter grab call, we already have the data by @​rumenvasilev in https://github.com/external-secrets/external-secrets/pull/3722
• chore(deps): bump docker/login-action from 3.2.0 to 3.3.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3729
• chore(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3727
• chore(deps): bump docker/setup-buildx-action from 3.4.0 to 3.5.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3728
• chore(deps): bump docker/setup-qemu-action from 3.1.0 to 3.2.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3731
• chore(deps): bump github/codeql-action from 3.25.13 to 3.25.15 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3730
• chore(deps): bump alpine from 77726ef to 0a4eaa0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3733
• chore(deps): bump golang from 8c9183f to 0d3653d by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3732
• feat: increase verbosity of error message during validation by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3742
• chore(deps): bump golang from 6c27802 to af9b40f in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3734
• chore(deps): bump alpine from 3.20.1 to 3.20.2 in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3735
• chore(deps): bump alpine from b89d9c9 to 0a4eaa0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3736
• chore(deps): bump regex from 2024.5.15 to 2024.7.24 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3737
• chore(deps): bump mkdocs-material from 9.5.29 to 9.5.30 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3738
• chore(deps): bump importlib-metadata from 8.0.0 to 8.2.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3739
• chore(deps): bump pymdown-extensions from 10.8.1 to 10.9 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3740
• docs: Remove references to pemCertificate and pemPrivateKey functions by @​trenslow in https://github.com/external-secrets/external-secrets/pull/3744
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3741
• docs: Improvements in the ExternalSecret comments in API section by @​c-neto in https://github.com/external-secrets/external-secrets/pull/3725
• feat: add prefix definition to all secret keys for aws parameter store by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3718
• feat: do not modify the secret in case of a NotModified by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3746
• feat: webhook secrets must be labeled by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3753
• feat: support pkcs12 with chain in pushsecret to Azure KeyVault by @​mysteq in https://github.com/external-secrets/external-secrets/pull/3747
• docs: document fullPemToPkcs12 and fullPemToPkcs12Pass helper functions by @​mysteq in https://github.com/external-secrets/external-secrets/pull/3749

New Contributors

• @​ryanmeans made their first contribution in https://github.com/external-secrets/external-secrets/pull/3674
• @​jeffmachado made their first contribution in https://github.com/external-secrets/external-secrets/pull/3680
• @​excalq made their first contribution in https://github.com/external-secrets/external-secrets/pull/3681
• @​Aeyk made their first contribution in https://github.com/external-secrets/external-secrets/pull/3577
• @​abhinav1708 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3677
• @​mintbomb27 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3684
• @​alinadir44 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3707
• @​mtougeron made their first contribution in https://github.com/external-secrets/external-secrets/pull/3695
• @​zazathomas made their first contribution in https://github.com/external-secrets/external-secrets/pull/3710
• @​rumenvasilev made their first contribution in https://github.com/external-secrets/external-secrets/pull/3722
• @​trenslow made their first contribution in https://github.com/external-secrets/external-secrets/pull/3744
• @​c-neto made their first contribution in https://github.com/external-secrets/external-secrets/pull/3725
• @​mysteq made their first contribution in https://github.com/external-secrets/external-secrets/pull/3747

Full Changelog: external-secrets/external-secrets@v0.9.20...v0.10.0

v0.9.20

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.9.20
Image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.9.20-ubi-boringssl

What's Changed

• bump 0.9.19 by @​knelasevero in https://github.com/external-secrets/external-secrets/pull/3553
• Fix typo: temaplate --> template by @​lindhe in https://github.com/external-secrets/external-secrets/pull/3554
• Oracle Vault Provider Documentation by @​anders-swanson in https://github.com/external-secrets/external-secrets/pull/3551
• feat: add location to GCP push secret by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3502
• add log.level and log.encoding to all components by @​KyriosGN0 in https://github.com/external-secrets/external-secrets/pull/3558
• chore(deps): bump github/codeql-action from 3.25.7 to 3.25.8 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3561
• chore(deps): bump aquasecurity/trivy-action from 0.21.0 to 0.22.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3562
• chore(deps): bump tornado from 6.4 to 6.4.1 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3563
• chore(deps): bump packaging from 24.0 to 24.1 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3564
• chore(deps): bump mkdocs-material from 9.5.25 to 9.5.26 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3565
• chore(deps): bump zipp from 3.19.1 to 3.19.2 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3566
• chore(deps): bump ubi8/ubi-minimal from 9e458f4 to 5f1cd34 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3568
• chore(deps): bump golang from 1.22.3-bookworm to 1.22.4-bookworm in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3569
• chore(deps): bump golang from 1.22.3 to 1.22.4 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3567
• Infisical provider by @​akhilmhdh in https://github.com/external-secrets/external-secrets/pull/3477
• feat: kick github actions on main by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3572
• feat: add support to set Type for AWS parameter store by @​vsantos in https://github.com/external-secrets/external-secrets/pull/3576
• Remove shuheiktgw from maintainers by @​shuheiktgw in https://github.com/external-secrets/external-secrets/pull/3573
• Add device42 provider by @​smcavallo in https://github.com/external-secrets/external-secrets/pull/3571
• ref: parameter store should be called only once by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3584
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3570
• feat(certcontroller): Allow restricting CRDs and Webhook configs in Informer cache by @​toVersus in https://github.com/external-secrets/external-secrets/pull/3588
• Support glob for namespaces condition in ClusterSecretStore by @​speedfl in https://github.com/external-secrets/external-secrets/pull/2920
• Fix typo privatKey in multiple files by @​IdanAdar in https://github.com/external-secrets/external-secrets/pull/3578
• chore(deps): bump mkdocs-material from 9.5.26 to 9.5.27 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3595
• chore(deps): bump github/codeql-action from 3.25.8 to 3.25.10 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3591
• chore(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3592
• chore(deps): bump actions/checkout from 4.1.6 to 4.1.7 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3590
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3596
• chore(deps): bump golang from aec4784 to 9678844 in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3593
• chore(deps): bump golang from 9bdd569 to 6522f0c by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3594
• feat(chart): Enable partial cache for certcontroller when installCRDs=true by @​toVersus in https://github.com/external-secrets/external-secrets/pull/3589
• Add skip unmanaged store logic for push secret controller by @​Bude8 in https://github.com/external-secrets/external-secrets/pull/3123
• fix(vault): Fix crash when caching is enabled and a token expires by @​agunnerson-elastic in https://github.com/external-secrets/external-secrets/pull/3598
• Remove the use of "golang.org/x/crypto/pkcs12" by @​yihuaf in https://github.com/external-secrets/external-secrets/pull/3601
• Make UBI more tolerable from OS vulnerabilities by @​IdanAdar in https://github.com/external-secrets/external-secrets/pull/3607
• fix: explicitly fetch status subresource due to inconsistencies by @​moolen in https://github.com/external-secrets/external-secrets/pull/3608
• Adds codepath for removing finalizers by @​lllamnyp in https://github.com/external-secrets/external-secrets/pull/3610
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3624
• chore(deps): bump alpine from 3.20.0 to 3.20.1 in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3622
• chore(deps): bump alpine from 77726ef to b89d9c9 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3621
• chore(deps): bump golang from 6522f0c to ace6cc3 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3620
• chore(deps): bump urllib3 from 2.2.1 to 2.2.2 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3618
• chore(deps): bump importlib-metadata from 7.1.0 to 7.2.1 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3617
• chore(deps): bump livereload from 2.6.3 to 2.7.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3616
• chore(deps): bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3615
• chore(deps): bump softprops/action-gh-release from 2.0.5 to 2.0.6 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3614
• Fix ACR External Secret example by @​ellenfieldn in https://github.com/external-secrets/external-secrets/pull/3626
• feat: add bitwarden secret manager support by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3603
• fix: e2e installation of ESO needs to update dependencies first by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/3635
• added secretserver env vars to e2e.yml by @​pacificcode in https://github.com/external-secrets/external-secrets/pull/3636
• docs: fix dataFrom.find in ExternalSecret api example by @​sboschman in https://github.com/external-secrets/external-secrets/pull/3633
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/3641
• chore(deps): bump github/codeql-action from 3.25.10 to 3.25.11 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3640
• chore(deps): bump importlib-metadata from 7.2.1 to 8.0.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/3639
• add AuthRef to kubernetes provider fixes #​3627 by @​kaedwen in https://github.com/external-secrets/external-secrets/pull/3628
• fix: implement handling for pushing whole k8s secret to gcsm by @​thejosephstevens in https://github.com/external-secrets/external-secrets/pull/3644
• bump e2e pipeline by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3646
• fix e2e permissions by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3647
• bump docs with e2e commands by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3648
• also needs pull-requests by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3649
• use github token to allow comment by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3651
• fix(webhook): perform conversion of data by @​cardoe in https://github.com/external-secrets/external-secrets/pull/3638
• feat: implement pushing whole k8s secret to Azure Keyvault by @​CCOLLOT in https://github.com/external-secrets/external-secrets/pull/3650
• fix(vault): Treat tokens expiring in <60s as expired by @​agunnerson-elastic in https://github.com/external-secrets/external-secrets/pull/3637
• Allow specifying the same namespace for SecretStores by @​shuheiktgw in https://github.com/external-secrets/external-secrets/pull/3555
• docs: add proposal for PushSecret metadata by @​moolen in https://github.com/external-secrets/external-secrets/pull/3612
• fix github credentials by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/3656
• docs: updated k8s support for ESO v0.9 by @​shazib-summar in https://github.com/external-secrets/external-secrets/pull/3659

New Contributors

• @​lindhe made their first contribution in https://github.com/external-secrets/external-secrets/pull/3554
• @​KyriosGN0 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3558
• @​akhilmhdh made their first contribution in https://github.com/external-secrets/external-secrets/pull/3477
• @​smcavallo made their first contribution in https://github.com/external-secrets/external-secrets/pull/3571
• @​toVersus made their first contribution in https://github.com/external-secrets/external-secrets/pull/3588
• @​speedfl made their first contribution in https://github.com/external-secrets/external-secrets/pull/2920
• @​Bude8 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3123
• @​agunnerson-elastic made their first contribution in https://github.com/external-secrets/external-secrets/pull/3598
• @​yihuaf made their first contribution in https://github.com/external-secrets/external-secrets/pull/3601
• @​lllamnyp made their first contribution in https://github.com/external-secrets/external-secrets/pull/3610
• @​ellenfieldn made their first contribution in https://github.com/external-secrets/external-secrets/pull/3626
• @​pacificcode made their first contribution in https://github.com/external-secrets/external-secrets/pull/3636
• @​sboschman made their first contribution in https://github.com/external-secrets/external-secrets/pull/3633
• @​kaedwen made their first contribution in https://github.com/external-secrets/external-secrets/pull/3628
• @​thejosephstevens made their first contribution in https://github.com/external-secrets/external-secrets/pull/3644
• @​cardoe made their first contribution in https://github.com/external-secrets/external-secrets/pull/3638
• @​CCOLLOT made their first contribution in https://github.com/external-secrets/external-secrets/pull/3650
• @​shazib-summar made their first contribution in [https://github.com/external-secrets/ex

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 56 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.22.3 -> 1.23.1
k8s.io/api	v0.30.1 -> v0.31.0
k8s.io/apiextensions-apiserver	v0.30.0 -> v0.31.0
github.com/Azure/azure-sdk-for-go/sdk/azcore	v1.11.1 -> v1.14.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity	v1.5.2 -> v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/internal	v1.5.2 -> v1.10.0
github.com/aws/aws-sdk-go	v1.53.3 -> v1.55.5
github.com/cespare/xxhash/v2	v2.2.0 -> v2.3.0
github.com/emicklei/go-restful/v3	v3.12.0 -> v3.12.1
github.com/go-logr/logr	v1.4.1 -> v1.4.2
github.com/google/cel-go	v0.17.8 -> v0.20.1
github.com/grpc-ecosystem/grpc-gateway/v2	v2.16.0 -> v2.20.0
github.com/hashicorp/go-retryablehttp	v0.7.5 -> v0.7.7
github.com/hashicorp/vault/api	v1.10.0 -> v1.14.0
github.com/hashicorp/vault/api/auth/approle	v0.5.0 -> v0.7.0
github.com/hashicorp/vault/api/auth/kubernetes	v0.5.0 -> v0.7.0
github.com/klauspost/compress	v1.17.4 -> v1.17.9
github.com/prometheus/client_golang	v1.19.1 -> v1.20.2
github.com/prometheus/common	v0.53.0 -> v0.55.0
github.com/prometheus/procfs	v0.12.0 -> v0.15.1
github.com/rogpeppe/go-internal	v1.11.1-0.20231026093722-fa6a31e0812c -> v1.12.0
github.com/spf13/cast	v1.6.0 -> v1.7.0
github.com/spf13/cobra	v1.8.0 -> v1.8.1
go.mongodb.org/mongo-driver	v1.14.0 -> v1.16.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.46.1 -> v0.54.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.49.0 -> v0.54.0
go.opentelemetry.io/otel	v1.24.0 -> v1.29.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.21.0 -> v1.28.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.21.0 -> v1.27.0
go.opentelemetry.io/otel/metric	v1.24.0 -> v1.29.0
go.opentelemetry.io/otel/sdk	v1.21.0 -> v1.28.0
go.opentelemetry.io/otel/trace	v1.24.0 -> v1.29.0
go.opentelemetry.io/proto/otlp	v1.0.0 -> v1.3.1
go.uber.org/zap	v1.26.0 -> v1.27.0
golang.org/x/crypto	v0.23.0 -> v0.26.0
golang.org/x/exp	v0.0.0-20240416160154-fe59bbe5cc7f -> v0.0.0-20240808152545-0cdaa3abc0fa
golang.org/x/mod	v0.17.0 -> v0.20.0
golang.org/x/net	v0.25.0 -> v0.28.0
golang.org/x/oauth2	v0.20.0 -> v0.22.0
golang.org/x/sync	v0.7.0 -> v0.8.0
golang.org/x/sys	v0.20.0 -> v0.24.0
golang.org/x/term	v0.20.0 -> v0.23.0
golang.org/x/text	v0.15.0 -> v0.17.0
golang.org/x/time	v0.5.0 -> v0.6.0
golang.org/x/tools	v0.20.0 -> v0.24.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240415180920-8c6c420018be -> v0.0.0-20240823204242-4ba0660f739c
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240429193739-8cf5692501f6 -> v0.0.0-20240823204242-4ba0660f739c
google.golang.org/grpc	v1.63.2 -> v1.65.0
google.golang.org/protobuf	v1.34.1 -> v1.34.2
k8s.io/apimachinery	v0.30.1 -> v0.31.0
k8s.io/apiserver	v0.30.0 -> v0.31.0
k8s.io/component-base	v0.30.0 -> v0.31.0
k8s.io/klog/v2	v2.120.1 -> v2.130.1
k8s.io/kube-openapi	v0.0.0-20240423202451-8948a665c108 -> v0.0.0-20240822171749-76de80e0abd9
k8s.io/utils	v0.0.0-20240423183400-0849a56e8f22 -> v0.0.0-20240821151609-f90d01438635
sigs.k8s.io/apiserver-network-proxy/konnectivity-client	v0.29.0 -> v0.30.3
sigs.k8s.io/controller-runtime	v0.18.2 -> v0.19.0