feat(helm): update external-secrets ( 0.14.3 → 0.16.1 )

[renovate]

This PR contains the following updates:

Package	Update	Change
external-secrets	minor	0.14.3 -> 0.16.1

---

Release Notes

external-secrets/external-secrets (external-secrets)

v0.16.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.1
Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.16.1-ubi-boringssl

What's Changed

• chore: bump helm to 0.16.0 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4660
• fix: remove crds from bundle by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4664
• fix: applying several pipeline fixes by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4667
• fix: pipeline permissions by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4669
• fix: publish permissions by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4670
• fix: prevent is-fork by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4671
• fix: publish workflow by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4672
• fix: conversion setting on bundle crds by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4673
• fix: remove the conversion hook completely by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4675

Full Changelog: external-secrets/external-secrets@v0.16.0...v0.16.1

Guide to Promoting to 0.16

Pre Upgrade checks

Make sure you are not using any v1alpha1 resources across all of your infrastructure.

You can do that by performing manual inspection on your manifests, tooling, etc.

Make sure there are no storedVersions on v1alpha1 for externalsecrets, clusterexternalsecrets, secretstores and clustersecretstores crds:

Run the following command:

kubectl get crd \
    externalsecrets.external-secrets.io\
    secretstores.external-secrets.io\
    clustersecretstores.external-secrets.io\
    clusterexternalsecrets.external-secrets.io\
    -o jsonpath='{.items[*].status.storedVersions[?(@​=="valpha1")]}' | \
    grep -q v1alpha1 && echo "NOT SAFE! REMOVE v1alpha1 FROM YOUR STORED VERSIONS" || echo "Safe to Continue"

If that command returns not safe, remove v1alpha1 from your stored versions. Make sure this status is persisted after you verify these commands.

kubectl patch --subresource=status crd externalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd secretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clusterexternalsecrets.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 
kubectl patch --subresource=status crd clustersecretstores.external-secrets.io --type=json -p='[{"op": "replace", "path": "/status/storedVersions", "value": ["v1", "v1beta1"]}]' 

Upgrading

CRDs as part of external-secrets installation

If you're installing external-secrets CRDs with helm (installCRDs=true - the default), all you need to do is

helm repo update
helm upgrade <your_app_name> external-secrets/external-secrets --version 0.16.1

The same goes if you're using argocd or flux and managing crds directly with helm. The above should just work.

CRDs installed separately

If CRDs are installed separately, the first step you need to do is bump the crds:

kubectl apply -f https://raw.githubusercontent.com/external-secrets/external-secrets/v0.16.1/deploy/crds/bundle.yaml

Verify no error occurs. After that, you can freely migrate external-secrets to v0.16.1.

Troubleshooting

conversion webhook for external-secrets.io/v1, Kind=ExternalSecret failed: the server could not find the requested resource

Root cause: the CRD installation process failed.
Double check your CRD installation process finished successfully

v0.16.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.16.0
Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.16.0-ubi-boringssl

What's Changed

• chore: bump 0.15.1 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4599
• chore(deps): bump distroless/static from 95ea148 to 3d0f463 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4602
• chore(deps): bump actions/setup-python from 5.4.0 to 5.5.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4603
• chore(deps): bump crazy-max/ghaction-import-gpg from 6.2.0 to 6.3.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4605
• chore(deps): bump goreleaser/goreleaser-action from 6.2.1 to 6.3.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4606
• chore(deps): bump github/codeql-action from 3.28.12 to 3.28.13 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4607
• chore(deps): bump mkdocs-material from 9.6.9 to 9.6.10 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4608
• remove days from refreshInterval docs by @​lmcewen9 in https://github.com/external-secrets/external-secrets/pull/4601
• feat: Add AWSProvider.prefix to aws secrets manager by @​justinwalz in https://github.com/external-secrets/external-secrets/pull/4612
• feat(aws): support for aws tags by @​ivankatliarchuk in https://github.com/external-secrets/external-secrets/pull/4538
• docs: remove OLM installation and release docs by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4617
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4609
• chore(deps): bump golang from 1.24.1 to 1.24.2 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4618
• chore(deps): bump termcolor from 2.5.0 to 3.0.1 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4619
• chore(deps): bump mkdocs-material from 9.6.10 to 9.6.11 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4620
• chore(deps): bump golang from 1.24.1-bookworm to 1.24.2-bookworm in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4621
• fix(gcp): makes workload identity parameters optional by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4622
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4624
• feat: check-diff on update deps by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4632
• docs: fix pento website url in the docs by @​pragmaticivan in https://github.com/external-secrets/external-secrets/pull/4639
• Support annotations on ValidatingWebhookConfigurations in order to su… by @​davidkarlsen in https://github.com/external-secrets/external-secrets/pull/4638
• fix: controller-options by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4637
• fix: failure on github deprecation use of status checks by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4640
• fix: replace error check with ok check by @​iurisevero in https://github.com/external-secrets/external-secrets/pull/4636
• feat: ​add refreshPolicy field to ExternalSecret for enhanced synchronization control​ by @​Sn0rt in https://github.com/external-secrets/external-secrets/pull/4594
• fix: enhancing security for new workflow by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4641
• chore(deps): bump golang from 75e6700 to 00eccd4 in /e2e by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4644
• chore(deps): bump golang from 7772cb5 to 7772cb5 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4649
• chore(deps): bump github/codeql-action from 3.28.13 to 3.28.15 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4645
• chore(deps): bump markdown from 3.7 to 3.8 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4646
• chore(deps): bump urllib3 from 2.3.0 to 2.4.0 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4647
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4651
• chore: bump go to 1.24.2 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4652
• chore: promote v1 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4635
• fix: revert main to 0.15.1 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4657
• fix: restore 0.16.0 by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4659

New Contributors

• @​lmcewen9 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4601
• @​justinwalz made their first contribution in https://github.com/external-secrets/external-secrets/pull/4612
• @​ivankatliarchuk made their first contribution in https://github.com/external-secrets/external-secrets/pull/4538
• @​pragmaticivan made their first contribution in https://github.com/external-secrets/external-secrets/pull/4639
• @​davidkarlsen made their first contribution in https://github.com/external-secrets/external-secrets/pull/4638

Full Changelog: external-secrets/external-secrets@v0.15.1...v0.16.0

v0.15.1

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.15.1
Image: ghcr.io/external-secrets/external-secrets:v0.15.1-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.15.1-ubi-boringssl

What's Changed

• chore: update helm charts to v0.15.0 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4566
• Exclude unused resources from rbac by @​bb-Ricardo in https://github.com/external-secrets/external-secrets/pull/4572
• fix: disable ClusterPushSecret reconciler when using scoped RBAC in helm chart by @​mrsimo in https://github.com/external-secrets/external-secrets/pull/4571
• Clarify the implications of setting refreshInterval to 0 by @​exaV in https://github.com/external-secrets/external-secrets/pull/4567
• Add webhook.create: false warning comment by @​thecosmicfrog in https://github.com/external-secrets/external-secrets/pull/4579
• fix: bump jwt for cve fix by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4580
• adding conjur description by @​aakashagg in https://github.com/external-secrets/external-secrets/pull/4578
• Lookup cluster workload identity from instance metadata by @​xinau in https://github.com/external-secrets/external-secrets/pull/4575
• chore(deps): bump ubi8/ubi from 5993454 to 8bd1b63 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4581
• chore(deps): bump actions/cache from 4.2.2 to 4.2.3 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4582
• chore(deps): bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4583
• chore(deps): bump actions/setup-go from 5.3.0 to 5.4.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4584
• chore(deps): bump github/codeql-action from 3.28.11 to 3.28.12 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4585
• chore(deps): bump platformdirs from 4.3.6 to 4.3.7 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4587
• chore(deps): bump mkdocs-material from 9.6.8 to 9.6.9 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4588
• chore(deps): bump fossas/fossa-action from 1.5.0 to 1.6.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4586
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4589
• fix: aliyun timeout is ms not second by @​wei840222 in https://github.com/external-secrets/external-secrets/pull/4591
• feat: add regional secrets support for gcpsm by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4563
• avoid unnecessary updates to CRDs and webhooks by @​steved in https://github.com/external-secrets/external-secrets/pull/4561
• feat: make kubernetes auth prefer service account tokens over secrets by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4596
• docs: typo fix in api/generator/quay.md by @​tarilabs in https://github.com/external-secrets/external-secrets/pull/4597

New Contributors

• @​bb-Ricardo made their first contribution in https://github.com/external-secrets/external-secrets/pull/4572
• @​mrsimo made their first contribution in https://github.com/external-secrets/external-secrets/pull/4571
• @​exaV made their first contribution in https://github.com/external-secrets/external-secrets/pull/4567
• @​thecosmicfrog made their first contribution in https://github.com/external-secrets/external-secrets/pull/4579
• @​aakashagg made their first contribution in https://github.com/external-secrets/external-secrets/pull/4578
• @​xinau made their first contribution in https://github.com/external-secrets/external-secrets/pull/4575
• @​wei840222 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4591
• @​steved made their first contribution in https://github.com/external-secrets/external-secrets/pull/4561
• @​tarilabs made their first contribution in https://github.com/external-secrets/external-secrets/pull/4597

Full Changelog: external-secrets/external-secrets@v0.15.0...v0.15.1

v0.15.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.15.0
Image: ghcr.io/external-secrets/external-secrets:v0.15.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.15.0-ubi-boringssl

What's Changed

• chore: update helm charts to v0.14.4 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4531
• Fix certificate revisionHistoryLimit schema by @​Aransh in https://github.com/external-secrets/external-secrets/pull/4534
• Improve Grafana generator integration with in-cluster Grafana by @​solidDoWant in https://github.com/external-secrets/external-secrets/pull/4519
• feat: introduce codeql scan for code sections by @​Setland34 in https://github.com/external-secrets/external-secrets/pull/4198
• feat: add metadata setting to encode secrets as decoded values by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4535
• Update full-pushsecret.yaml by @​Eitan1112 in https://github.com/external-secrets/external-secrets/pull/4547
• chore(deps): bump mkdocs-material from 9.6.7 to 9.6.8 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4555
• chore(deps): bump aquasecurity/trivy-action from 0.29.0 to 0.30.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4550
• chore(deps): bump docker/login-action from 3.3.0 to 3.4.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4551
• chore(deps): bump golangci/golangci-lint-action from 6.5.0 to 6.5.1 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4552
• fix: skip none-existing keys by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4517
• chore(deps): bump ubi8/ubi from ecbeb81 to 5993454 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4553
• fix: define top level permissions and fix token scope by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4543
• Fix Grafana generator not passing desired SA role to creation request by @​solidDoWant in https://github.com/external-secrets/external-secrets/pull/4533
• chore(deps): bump distroless/static from 3f2b64e to 95ea148 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4554
• feat: non standard templating delimiters by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4558
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4556
• feat: add cloud.ru secret manager support by @​default23 in https://github.com/external-secrets/external-secrets/pull/3716
• fix: check if secret is being deleted during fetch by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4562
• feat: cluster push secret with pushing all secrets from a namespace by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4162

New Contributors

• @​solidDoWant made their first contribution in https://github.com/external-secrets/external-secrets/pull/4519
• @​Setland34 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4198
• @​Eitan1112 made their first contribution in https://github.com/external-secrets/external-secrets/pull/4547
• @​default23 made their first contribution in https://github.com/external-secrets/external-secrets/pull/3716

Full Changelog: external-secrets/external-secrets@v0.14.4...v0.15.0

v0.14.4

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v0.14.4
Image: ghcr.io/external-secrets/external-secrets:v0.14.4-ubi
Image: ghcr.io/external-secrets/external-secrets:v0.14.4-ubi-boringssl

What's Changed

• fix: do not return pointer to session from cache by @​moolen in https://github.com/external-secrets/external-secrets/pull/4478
• chore: update helm charts to v0.14.3 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4482
• chore: stability-support.md by @​gusfcarvalho in https://github.com/external-secrets/external-secrets/pull/4480
• Fix certificate revisionHistoryLimit invalid quote by @​Aransh in https://github.com/external-secrets/external-secrets/pull/4483
• Improve documentation for webhook auth secrets by @​KoenraadM in https://github.com/external-secrets/external-secrets/pull/4485
• fix: removed unused vars from apis/generators/v1alpha1/register.go by @​gkech in https://github.com/external-secrets/external-secrets/pull/4477
• [feature] added Prometheus Status metric for the PushSecret objects by @​MrImpossibru in https://github.com/external-secrets/external-secrets/pull/4489
• chore(deps): bump mkdocs-material from 9.6.5 to 9.6.7 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4497
• chore(deps): bump docker/setup-qemu-action from 3.4.0 to 3.6.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4495
• chore(deps): bump actions/attest-build-provenance from 2.2.0 to 2.2.2 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4492
• chore(deps): bump codecov/codecov-action from 5.3.1 to 5.4.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4491
• chore(deps): bump actions/cache from 4.2.1 to 4.2.2 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4493
• chore(deps): bump docker/setup-buildx-action from 3.9.0 to 3.10.0 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4494
• chore(deps): bump ubi8/ubi from 881aaf5 to ecbeb81 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4496
• fix: pass in namespace to managed cache for cluster scope if rbac is restricted by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4502
• fix: allow using UUID as vault and item name by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4490
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4498
• docs: update aws identity doc adding EKS pod identity flow by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4432
• feat: Allow to specify tags when pushing to Azure Key Vault by @​twobiers in https://github.com/external-secrets/external-secrets/pull/4507
• feat: enable pushing the entire secret with aws secrets manager by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4504
• fix: remove fmt.Println from code and test code by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4509
• fix: improve webhook provider PushSecret handling by @​bhcleek in https://github.com/external-secrets/external-secrets/pull/4508
• fix webhook provider docs by @​bhcleek in https://github.com/external-secrets/external-secrets/pull/4514
• Updates to AAD and date update by @​sneakernuts in https://github.com/external-secrets/external-secrets/pull/4512
• allow references expansion when searching secret by key infinsical by @​tuxtof in https://github.com/external-secrets/external-secrets/pull/4486
• use subtests in webprovider unit tests by @​bhcleek in https://github.com/external-secrets/external-secrets/pull/4511
• feat: make vault auth an optional entry by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4516
• chore(deps): bump github/codeql-action from 3.28.10 to 3.28.11 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4521
• chore(deps): bump jinja2 from 3.1.5 to 3.1.6 in /hack/api-docs by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4523
• chore(deps): bump actions/attest-build-provenance from 2.2.2 to 2.2.3 by @​dependabot in https://github.com/external-secrets/external-secrets/pull/4522
• chore: update dependencies by @​eso-service-account-app in https://github.com/external-secrets/external-secrets/pull/4528
• feat: update the go version 1.24 by @​Skarlso in https://github.com/external-secrets/external-secrets/pull/4525

New Contributors

• @​KoenraadM made their first contribution in https://github.com/external-secrets/external-secrets/pull/4485
• @​gkech made their first contribution in https://github.com/external-secrets/external-secrets/pull/4477
• @​MrImpossibru made their first contribution in https://github.com/external-secrets/external-secrets/pull/4489
• @​bhcleek made their first contribution in https://github.com/external-secrets/external-secrets/pull/4508
• @​sneakernuts made their first contribution in https://github.com/external-secrets/external-secrets/pull/4512
• @​tuxtof made their first contribution in https://github.com/external-secrets/external-secrets/pull/4486

Full Changelog: external-secrets/external-secrets@v0.14.3...v0.14.4

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/cluster-system/external-secrets/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: cluster-system/external-secrets

+++ kubernetes/apps/cluster-system/external-secrets/external-secrets/app Kustomization: flux-system/external-secrets HelmRelease: cluster-system/external-secrets

@@ -13,13 +13,13 @@

     spec:
       chart: external-secrets
       sourceRef:
         kind: HelmRepository
         name: external-secrets
         namespace: flux-system
-      version: 0.14.3
+      version: 0.16.1
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[github-actions]

--- HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-controller

+++ HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-controller

@@ -13,12 +13,13 @@

   resources:
   - secretstores
   - clustersecretstores
   - externalsecrets
   - clusterexternalsecrets
   - pushsecrets
+  - clusterpushsecrets
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - external-secrets.io
@@ -35,12 +36,15 @@

   - clusterexternalsecrets
   - clusterexternalsecrets/status
   - clusterexternalsecrets/finalizers
   - pushsecrets
   - pushsecrets/status
   - pushsecrets/finalizers
+  - clusterpushsecrets
+  - clusterpushsecrets/status
+  - clusterpushsecrets/finalizers
   verbs:
   - get
   - update
   - patch
 - apiGroups:
   - generators.external-secrets.io
@@ -122,7 +126,15 @@

   resources:
   - externalsecrets
   verbs:
   - create
   - update
   - delete
+- apiGroups:
+  - external-secrets.io
+  resources:
+  - pushsecrets
+  verbs:
+  - create
+  - update
+  - delete
 
--- HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-view

+++ HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-view

@@ -15,12 +15,13 @@

   - external-secrets.io
   resources:
   - externalsecrets
   - secretstores
   - clustersecretstores
   - pushsecrets
+  - clusterpushsecrets
   verbs:
   - get
   - watch
   - list
 - apiGroups:
   - generators.external-secrets.io
--- HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-edit

+++ HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-edit

@@ -14,12 +14,13 @@

   - external-secrets.io
   resources:
   - externalsecrets
   - secretstores
   - clustersecretstores
   - pushsecrets
+  - clusterpushsecrets
   verbs:
   - create
   - delete
   - deletecollection
   - patch
   - update
--- HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-servicebindings

+++ HelmRelease: cluster-system/external-secrets ClusterRole: cluster-system/external-secrets-servicebindings

@@ -10,11 +10,12 @@

     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups:
   - external-secrets.io
   resources:
   - externalsecrets
+  - pushsecrets
   verbs:
   - get
   - list
   - watch
 
--- HelmRelease: cluster-system/external-secrets Deployment: cluster-system/external-secrets-cert-controller

+++ HelmRelease: cluster-system/external-secrets Deployment: cluster-system/external-secrets-cert-controller

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.14.3
+        image: ghcr.io/external-secrets/external-secrets:v0.16.1
         imagePullPolicy: IfNotPresent
         args:
         - certcontroller
         - --crd-requeue-interval=5m
         - --service-name=external-secrets-webhook
         - --service-namespace=cluster-system
--- HelmRelease: cluster-system/external-secrets Deployment: cluster-system/external-secrets

+++ HelmRelease: cluster-system/external-secrets Deployment: cluster-system/external-secrets

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.14.3
+        image: ghcr.io/external-secrets/external-secrets:v0.16.1
         imagePullPolicy: IfNotPresent
         args:
         - --concurrent=1
         - --metrics-addr=:8080
         - --loglevel=info
         - --zap-time-encoding=epoch
--- HelmRelease: cluster-system/external-secrets Deployment: cluster-system/external-secrets-webhook

+++ HelmRelease: cluster-system/external-secrets Deployment: cluster-system/external-secrets-webhook

@@ -34,13 +34,13 @@

             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/external-secrets/external-secrets:v0.14.3
+        image: ghcr.io/external-secrets/external-secrets:v0.16.1
         imagePullPolicy: IfNotPresent
         args:
         - webhook
         - --port=10250
         - --dns-name=external-secrets-webhook.cluster-system.svc
         - --cert-dir=/tmp/certs
--- HelmRelease: cluster-system/external-secrets ValidatingWebhookConfiguration: cluster-system/secretstore-validate

+++ HelmRelease: cluster-system/external-secrets ValidatingWebhookConfiguration: cluster-system/secretstore-validate

@@ -11,48 +11,48 @@

 webhooks:
 - name: validate.secretstore.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
-    - v1beta1
+    - v1
     operations:
     - CREATE
     - UPDATE
     - DELETE
     resources:
     - secretstores
     scope: Namespaced
   clientConfig:
     service:
       namespace: cluster-system
       name: external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
+      path: /validate-external-secrets-io-v1-secretstore
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
 - name: validate.clustersecretstore.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
-    - v1beta1
+    - v1
     operations:
     - CREATE
     - UPDATE
     - DELETE
     resources:
     - clustersecretstores
     scope: Cluster
   clientConfig:
     service:
       namespace: cluster-system
       name: external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
+      path: /validate-external-secrets-io-v1-clustersecretstore
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
 
--- HelmRelease: cluster-system/external-secrets ValidatingWebhookConfiguration: cluster-system/externalsecret-validate

+++ HelmRelease: cluster-system/external-secrets ValidatingWebhookConfiguration: cluster-system/externalsecret-validate

@@ -11,25 +11,25 @@

 webhooks:
 - name: validate.externalsecret.external-secrets.io
   rules:
   - apiGroups:
     - external-secrets.io
     apiVersions:
-    - v1beta1
+    - v1
     operations:
     - CREATE
     - UPDATE
     - DELETE
     resources:
     - externalsecrets
     scope: Namespaced
   clientConfig:
     service:
       namespace: cluster-system
       name: external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
+      path: /validate-external-secrets-io-v1-externalsecret
   admissionReviewVersions:
   - v1
   - v1beta1
   sideEffects: None
   timeoutSeconds: 5
   failurePolicy: Fail