ESO-267:Upstream bump for v0.20.x and rebase for v1.1.0 release

[siddhibhor-56]

• Updated the go.mod to 1.25.3
• Bundle changes for v1.1.0 including v0.20.4 upstream external-secrets.
• updated the rbac as per the upstream release

[coderabbitai]

Walkthrough

Bumps operator VERSION to 1.1.0 and embedded ExternalSecrets to v0.20.4; upgrades Go/dependencies and builder images; expands many CRD schemas (CloudsmithAccessToken, workloadIdentityFederation, Vault CAS, Azure customCloudConfig, finalizers, selectableFields); extends RBAC and embedded manifests; adds Makefile bundle channel/default overrides and rebase-automation.sh.

Changes

Cohort / File(s)	Summary
Build & CI config Makefile, Dockerfile, images/ci/Dockerfile, images/ci/operand.Dockerfile, .ci-operator.yaml	VERSION → 1.1.0; EXTERNAL_SECRETS_VERSION → v0.20.4; Makefile: new CHANNELS / DEFAULT_CHANNEL override handling added for bundle metadata. Builder images updated to Go 1.25 toolchain.
Go modules & toolchain go.mod	Go bumped to 1.25.3 and many dependency upgrades (k8s APIs, controller-runtime, controller-tools, kustomize, linters); module replacements updated to external-secrets v0.20.4.
Embedded manifests / assets pkg/operator/assets/bindata.go, bindata/external-secrets/resources/*, pkg/operator/assets/*	Embedded YAMLs updated: version labels v0.19.0→v0.20.4, some image tags (e.g., bitwarden v0.5.0→v0.5.1), service webhook targetPort renamed to "webhook", RBAC/resource labels and verbs adjusted, cloudsmithaccesstokens referenced.
Operator RBAC & runtime config/rbac/role.yaml, pkg/controller/external_secrets/controller.go	RBAC extended: namespaces verbs include patch/update; endpoints verbs added (create,get,list,watch); discovery.k8s.io/endpointslices added; generators.external-secrets.io includes cloudsmithaccesstokens.
CSV / bundle metadata bundle/manifests/external-secrets-operator.clusterserviceversion.yaml, config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml	CSV name/version → v1.1.0, olm.skipRange updated; installPermissions expanded (endpoints, namespaces, endpointslices); generator resources updated to include new resources.
New Cloudsmith generator CRD config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml, bundle/manifests/generators.external-secrets.io_*, config/crd/bases/*clustergenerators*	Adds CloudsmithAccessToken CRD and cloudsmithAccessTokenSpec; propagates CloudsmithAccessToken into generator kind enums and generator manifests.
CRD schema expansions — SecretStore / ClusterSecretStore config/crd/bases/customresourcedefinition_secretstores*.yml, bundle/manifests/external-secrets.io_secretstores.yaml, bundle/manifests/external-secrets.io_clustersecretstores.yaml	Adds Azure customCloudConfig and useAzureSDK, AzureStackCloud env; workloadIdentityFederation blocks; new credential blocks (tokenAuthCredentials, kubernetesAuthCredentials); Vault checkAndSet (CAS); secretVersionSelectionPolicy; provider-specific fetching/domain fields; widespread SecretKeySelector usage.
CRD updates — ExternalSecret / PushSecret / Cluster variants config/crd/bases/customresourcedefinition_externalsecrets*.yml, config/crd/bases/customresourcedefinition_clusterexternalsecrets*.yml, config/crd/bases/customresourcedefinition_pushsecrets*.yml, bundle/manifests/*	controller-gen bumped to v0.19.0; adds finalizers array under template.metadata, adds CloudsmithAccessToken in generatorRef.kind enums, adds selectableFields to ExternalSecret v1 schema, expands template/templateFrom/templateRef/TemplateTarget descriptions.
Generator CRDs — federation, CAS, and misc additions config/crd/bases/customresourcedefinition_acraccesstokens*.yml, customresourcedefinition_gcraccesstokens*.yml, customresourcedefinition_vaultdynamicsecrets*.yml, bundle/manifests/generators.external-secrets.io_clustergenerators.yaml, ..._gcraccesstokens.yaml	Adds workloadIdentityFederation, checkAndSet (Vault CAS), cloudsmithAccessTokenSpec entries, and AzureStackCloud enum to various generator CRDs; adds descriptive spec fields.
OpenShift CRDs / wording changes bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml, bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml, config/crd/bases/operator.openshift.io_*.yaml	controller-gen annotation bumps; removed beta gating notes for matchLabelKeys; changed podAffinity weight wording (add → subtract); updated DynamicResourceAllocation wording.
Controller tests & minor edits pkg/controller/external_secrets/deployments_test.go	Updated expected error string formatting (resource name quoted).
Generated bundle & bindata bundle/manifests/*, pkg/operator/assets/bindata.go	Re-generated bundle/manifests to reflect CRD/schema additions, version bumps, RBAC updates, and embedded asset changes.
New automation script rebase-automation.sh	New script automating multi-step rebase workflow: dependency bump, Makefile update, regenerate operand manifests, patch CSV metadata, build bundle and update bindata; supports dry-run, step selection, and skip-commit.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 12

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

pkg/operator/assets/bindata.go (2)

564-714: ClusterRole now grants cluster‑wide namespace mutation; validate least‑privilege

The external-secrets-controller ClusterRole now includes:

- apiGroups:
    - ""
  resources:
    - "namespaces"
  verbs:
    - "update"
    - "patch"

This allows the controller to modify any Namespace object cluster‑wide, which is a notable security posture change compared to read‑only access. Unless the controller truly needs to mutate arbitrary namespaces (not just its own or a narrow subset), this is broader than typical least‑privilege RBAC for an operator and increases the blast radius of a bug or compromise.

If the write access is required, consider:

• Constraining the scope (e.g., via resourceNames or a dedicated label/annotation filter) if feasible, and/or
• Documenting clearly which namespace fields are expected to be patched so cluster admins can assess risk.

---

89-408: Some embedded manifests still advertise app.kubernetes.io/version: "v0.19.0"

Several assets (e.g., certificate_bitwarden-tls-certs and the allow-*/deny-all NetworkPolicies) still carry:

app.kubernetes.io/version: "v0.19.0"

while the rest of the stack has been bumped to v0.20.1 (or v0.5.1 for Bitwarden). This won’t break functionality, but it can mislead operators or tooling that rely on the version label for debugging or inventory.

If these are intended to track the operator release rather than the Bitwarden component version, consider updating the labels for consistency the next time you regenerate bindata.

go.mod (1)

3-321: Verify CI/build compatibility with Go 1.25.5 and updated Kubernetes dependencies

Go 1.25.5 is a backward-compatible patch release with security fixes and bug fixes to runtime, crypto/x509, mime, and os packages—safe for standard upgrades. The k8s.io v0.34.1 stack is explicitly compatible with controller-runtime v0.22.3. However, as a best practice before merging:

• Confirm your CI/build pipeline and release images support Go 1.25.5
• Run integration tests to validate the updated K8s API surface against your controllers

bundle/manifests/external-secrets.io_secretstores.yaml (1)

3282-3348: SecretStore namespace field must be forbidden in CRD.

SecretStore is namespaced and must not access secrets across namespaces. While the controller enforces namespace restrictions via admission and SelfSubjectRulesReview, add CEL validation rules to the CRD to prevent namespace fields from being set on SecretKeySelectors within SecretStore specs. This provides defense-in-depth validation at the API level and reduces risk from controller logic bugs (CVE-2025-55196 demonstrated real-world namespace restriction bypasses in external-secrets).

• Forbid secretRef.namespace and caProvider.namespace in SecretStore specs via x-kubernetes-validations CEL rules.
• Allow these fields only in ClusterSecretStore.
• If adding CEL everywhere is costly, at minimum validate top-level authRef/caProvider and commonly-used provider SecretRef fields in this CRD.

Also applies to: 4098-4142, 5208-5241

♻️ Duplicate comments (4)

bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml (1)

5-5: Bundle manifest correctly reflects CRD base changes.

The bundle manifest is properly synchronized with the base CRD changes (controller-gen version, AzureStackCloud enum).

Also applies to: 188-188

bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml (1)

5-5: Bundle manifest correctly reflects CRD base changes.

The bundle manifest is properly synchronized with the base CRD (controller-gen version, checkAndSet field for Vault CAS).

Also applies to: 741-752

config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml (2)

6-6: CloudsmithAccessToken generator added to PushSecret.

The CloudsmithAccessToken enum option is added to spec.template.selector.generatorRef.kind for namespaced PushSecrets, mirroring ClusterPushSecret changes and enabling consistent generator support across namespaced and cluster scopes.

Also applies to: 186-186

---

297-300: Optional finalizers field added to template metadata.

The new template.metadata.finalizers field for namespaced PushSecrets mirrors the ClusterPushSecret change, allowing fine-grained control over secret lifecycle via finalizers.

🧹 Nitpick comments (10)

bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (1)

646-653: Doc inconsistency: “subtracting weight” vs “added per-node”.

You changed the narrative to subtract weights for matches, but the item description still says “weights … are added per-node”. Align the text to avoid confusion.

Apply:

-                              description: The weights of all of the matched WeightedPodAffinityTerm
-                                fields are added per-node to find the most preferred
-                                node(s)
+                              description: For each node, matched WeightedPodAffinityTerm weights are
+                                aggregated per the rule above (subtract on matches for podAntiAffinity)
+                                to compute the preference score and find the most preferred node(s)

config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml (1)

640-646: Make affinity weight aggregation wording self-consistent.

Narrative uses “subtracting weight” for matches, but the subsequent description still says “added per-node”. Unify to one rule.

Apply:

-                            description: |-
+                            description: |-
                               The scheduler will prefer to schedule pods to nodes that satisfy
@@
-                              compute a sum by iterating through the elements of this field and subtracting
-                              "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                              compute a sum by iterating through the elements of this field and subtracting
+                              "weight" from the sum if the node has pods which match the corresponding podAffinityTerm; the
                               node(s) with the highest sum are the most preferred.
@@
-                              description: The weights of all of the matched WeightedPodAffinityTerm
-                                fields are added per-node to find the most preferred
-                                node(s)
+                              description: For each node, matched WeightedPodAffinityTerm weights are
+                                aggregated per the rule above (subtract on matches for podAntiAffinity)
+                                to compute the preference score and find the most preferred node(s)

bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml (2)

640-646: Anti-affinity scoring text still references “added per-node”.

Keep the scoring explanation consistent with the new “subtracting weight” rule.

Apply:

-                              description: The weights of all of the matched WeightedPodAffinityTerm
-                                fields are added per-node to find the most preferred
-                                node(s)
+                              description: For each node, matched WeightedPodAffinityTerm weights are
+                                aggregated per the rule above (subtract on matches for podAntiAffinity)
+                                to compute the preference score and find the most preferred node(s)

---

1053-1055: DRA dependency — document or guard at runtime.

If clusters lack the DynamicResourceAllocation gate, ensure the operator avoids emitting unsupported resourceClaims or provides clear status.

Suggestion: add a startup check and surface a Condition when DRA is unavailable.

config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (1)

3790-3793: SecretServer domain: add basic validation to catch typos early

Consider a simple hostname pattern to prevent obvious misconfig (spaces, illegal chars).

-                        domain:
-                          description: Domain is the secret server domain.
-                          type: string
+                        domain:
+                          description: Domain is the secret server domain.
+                          type: string
+                          pattern: '^[a-zA-Z0-9.-]+$'

config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml (2)

4697-4797: Volcengine auth: make credentials source explicit to avoid silent misconfig.

Current schema suggests “use IRSA if auth.secretRef not set” but cannot validate IRSA presence. Recommend:

• Introduce credentialsSource enum (e.g., IRSA | SecretRef) to make intent explicit and validate when SecretRef is required.
• Alternatively add CEL to require auth.secretRef when a token field is present, and enhance controller status to surface “no credentials found” fast.

I can draft a minimal schema update with credentialsSource and CEL guards if desired.

---

3791-3793: SecretServer domain: confirm necessity and requiredness.

New domain field is optional; if certain deployments require it (e.g., AD-integrated auth), consider marking it required or documenting precedence with username. Otherwise, OK to keep optional.

rebase-automation.sh (1)

94-94: Warn about large vendor directory commit.

Adding the entire vendor/ directory in line 94 can result in a very large commit. While this may be intentional for reproducibility, consider adding a warning or size check.

bundle/manifests/external-secrets.io_clustersecretstores.yaml (2)

5010-5118: Volcengine: consider minimal auth/region validations.

IRSA fallback is fine, but add validation to require secretRef when using temporary STS token (token set) and to ensure both accessKeyID and secretAccessKey are present together.

If this mirrors upstream exactly, ignore; otherwise I can draft x-kubernetes-validations consistent with provider behavior.

---

1949-2067: Add x-kubernetes-validations to enforce GCP Workload Identity Federation constraints.

The schema should enforce the upstream requirement that audience must be non-empty when either serviceAccountRef or awsSecurityCredentials is configured. Additionally, at least one token source among {credConfig, serviceAccountRef, awsSecurityCredentials} should be required. Use x-kubernetes-validations rules to enforce these invariants at the schema level.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8b0bfce and bff8df4.

⛔ Files ignored due to path filters (220)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/gzip.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/gzip_go18.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/converter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/auth/bearer/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/awserr/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/awsutil/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/client/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/client/metadata/client_info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/csm/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/endpoints/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/request/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/session/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/secretsmanager/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/sso/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/sts/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-semver/NOTICE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-semver/semver/semver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-semver/semver/sort.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/NOTICE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/journal/journal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/journal/journal_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/BENCHMARK.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/convert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/convert_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/path.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/split.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/string_bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yaml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/gogo.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/gogo.pb.golden is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/gogo.proto is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/helper.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/descriptor.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/descriptor_gostring.gen.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/helper.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/registry.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/wire.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/folding.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/io.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/library.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/macro.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/program.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/prompt.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/templates/authoring.tmpl is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/checker.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/cost.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/decls/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/ast.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/navigable.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/containers/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/debug/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/decls/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/decls/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/env/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/env/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/stdlib/standard.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/bool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/double.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/duration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/err.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/int.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/list.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/null.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/object.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/optional.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/string.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/timestamp.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (80)

• Makefile (1 hunks)
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml (2 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml (3 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml (2 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml (1 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml (2 hunks)
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml (1 hunks)
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml (1 hunks)
• bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml (2 hunks)
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml (3 hunks)
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml (3 hunks)
• bindata/external-secrets/resources/deployment_external-secrets.yml (3 hunks)
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml (1 hunks)
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml (1 hunks)
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/service_bitwarden-sdk-server.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-metrics.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_bitwarden-sdk-server.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml (1 hunks)
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml (1 hunks)
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml (1 hunks)
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (4 hunks)
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml (4 hunks)
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml (3 hunks)
• bundle/manifests/external-secrets.io_clustersecretstores.yaml (15 hunks)
• bundle/manifests/external-secrets.io_externalsecrets.yaml (5 hunks)
• bundle/manifests/external-secrets.io_pushsecrets.yaml (3 hunks)
• bundle/manifests/external-secrets.io_secretstores.yaml (15 hunks)
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml (6 hunks)
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_grafanas.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_mfas.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_passwords.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_sshkeys.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_uuids.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_webhooks.yaml (1 hunks)
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (3 hunks)
• bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml (3 hunks)
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml (4 hunks)
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml (6 hunks)
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml (3 hunks)
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml (15 hunks)
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml (5 hunks)
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml (3 hunks)
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (15 hunks)
• config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_uuids.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml (3 hunks)
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml (3 hunks)
• config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml (3 hunks)
• go.mod (8 hunks)
• openshift-certificate-analyzer (1 hunks)
• pkg/controller/external_secrets/deployments_test.go (1 hunks)
• pkg/operator/assets/bindata.go (37 hunks)
• rebase-automation.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml
• Makefile
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml
• bindata/external-secrets/resources/service_bitwarden-sdk-server.yml
• bundle/manifests/generators.external-secrets.io_webhooks.yaml
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml
• bindata/external-secrets/resources/service_external-secrets-metrics.yml
• bundle/manifests/generators.external-secrets.io_mfas.yaml
• bundle/manifests/generators.external-secrets.io_uuids.yaml
• config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml
• openshift-certificate-analyzer
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/deployment_external-secrets.yml
• bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml
• config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml
• bindata/external-secrets/resources/serviceaccount_bitwarden-sdk-server.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml
• bundle/manifests/generators.external-secrets.io_sshkeys.yaml
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml
• pkg/controller/external_secrets/deployments_test.go
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml
• go.mod
• bundle/manifests/generators.external-secrets.io_grafanas.yaml
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_passwords.yaml
• bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml
• bindata/external-secrets/resources/service_external-secrets-webhook.yml
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml
• pkg/operator/assets/bindata.go
• rebase-automation.sh
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/customresourcedefinition_uuids.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml
• bundle/manifests/external-secrets.io_pushsecrets.yaml
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml
• bundle/manifests/external-secrets.io_clustersecretstores.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml
• bundle/manifests/external-secrets.io_externalsecrets.yaml
• bundle/manifests/external-secrets.io_secretstores.yaml

🪛 Shellcheck (0.11.0)

rebase-automation.sh

[warning] 9-9: REPO_ROOT appears unused. Verify use (or export if used externally).

(SC2034)

---

[warning] 72-72: Declare and assign separately to avoid masking return values.

(SC2155)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find and read the file to check current validation state
fd "external-secrets.io_clustersecretstores.yaml" --type f

Repository: openshift/external-secrets-operator

Length of output: 214

---

🏁 Script executed:

# Read the file and check around the specified lines for x-kubernetes-validations
wc -l bundle/manifests/external-secrets.io_clustersecretstores.yaml

Repository: openshift/external-secrets-operator

Length of output: 214

---

🏁 Script executed:

# Check the context around lines 809-836
sed -n '800,850p' bundle/manifests/external-secrets.io_clustersecretstores.yaml | cat -n

Repository: openshift/external-secrets-operator

Length of output: 214

---

🏁 Script executed:

# Check the other mentioned locations (842-850, 891-897)
sed -n '840,900p' bundle/manifests/external-secrets.io_clustersecretstores.yaml | cat -n

Repository: openshift/external-secrets-operator

Length of output: 214

---

🏁 Script executed:

# Search for x-kubernetes-validations in the entire file
rg "x-kubernetes-validations" bundle/manifests/external-secrets.io_clustersecretstores.yaml -A 5 -B 2

Repository: openshift/external-secrets-operator

Length of output: 214

---

🌐 Web query:

external-secrets customCloudConfig UseAzureSDK AzureStackCloud requirements

💡 Result:

Short answer — requirements and notes:

• customCloudConfig (AzureCustomCloudConfig) is only supported when useAzureSDK (UseAzureSDK) = true; the legacy go-autorest SDK does NOT support custom cloud endpoints. [1][2]
• To target Azure Stack you must set environmentType = AzureStackCloud and provide customCloudConfig. [1][2]
• AzureCustomCloudConfig must include at minimum activeDirectoryEndpoint (required when using custom cloud config); optional fields: keyVaultEndpoint, keyVaultDNSSuffix, resourceManagerEndpoint. [1][2]
• UseAzureSDK is experimental (azcore-based) and may behave differently from legacy SDK — enable it explicitly in your AzureKV provider. [1][2]

If you want, I can produce a minimal SecretStore YAML example with UseAzureSDK: true and a customCloudConfig filled out.

---

🌐 Web query:

external-secrets v1.1.0 azure key vault custom cloud config documentation

💡 Result:

Short summary — how to configure Azure custom cloud (Azure Stack / private endpoints) for External Secrets (v1.1.0+):

• Requirement: set useAzureSDK: true (custom cloud is only supported with the azcore-based Azure SDK). [1]

• Set environmentType: AzureStackCloud (or the appropriate environment) and provide customCloudConfig with at least activeDirectoryEndpoint; optional fields: keyVaultEndpoint, keyVaultDNSSuffix, resourceManagerEndpoint. Example SecretStore snippet:

  apiVersion: external-secrets.io/v1beta1
  kind: SecretStore
  metadata:
  name: azure-stack-store
  spec:
  provider:
  azurekv:
  environmentType: AzureStackCloud
  useAzureSDK: true
  vaultUrl: "https://my-keyvault.local"
  customCloudConfig:
  activeDirectoryEndpoint: "https://login.microsoftonline.local/"
  resourceManagerEndpoint: "https://management.local/"
  keyVaultEndpoint: "https://vault.local/"
  keyVaultDNSSuffix: "vault.local"

• Notes: activeDirectoryEndpoint is required when using customCloudConfig; custom cloud config is intended for Azure Stack Hub / Edge or private Azure deployments. [1][2]

Sources:
[1] External Secrets API spec — AzureCustomCloudConfig / AzureKVProvider.
[2] External Secrets Operator — Azure Key Vault provider docs (usage and environmentType).

---

Add schema validations for Azure Stack custom cloud config.

The upstream documentation confirms that customCloudConfig requires both useAzureSDK=true and environmentType=AzureStackCloud. The schema should enforce these constraints using x-kubernetes-validations to prevent invalid configurations. Add CEL rules like:

• if has(spec.provider.azurekv.customCloudConfig) then spec.provider.azurekv.useAzureSDK == true
• if has(spec.provider.azurekv.customCloudConfig) then spec.provider.azurekv.environmentType == "AzureStackCloud"

This applies to customCloudConfig definitions across the schema (lines 809-836, 842-850, 891-897).

🤖 Prompt for AI Agents

In bundle/manifests/external-secrets.io_clustersecretstores.yaml around lines
809-836 (and similarly at ~842-850 and ~891-897), the schema for Azure
customCloudConfig lacks validations enforcing that customCloudConfig may only be
present when useAzureSDK is true and environmentType equals "AzureStackCloud";
add x-kubernetes-validations CEL rules at each customCloudConfig definition
that: (1) if has(spec.provider.azurekv.customCloudConfig) then
spec.provider.azurekv.useAzureSDK == true, and (2) if
has(spec.provider.azurekv.customCloudConfig) then
spec.provider.azurekv.environmentType == "AzureStackCloud"; ensure the
validation entries follow the x-kubernetes-validations structure with clear
message text and non-negated CEL expressions so invalid manifests are rejected.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Enforce AzureStack custom cloud invariants with CEL; minor doc casing nit.

• AzureStackCloud requires customCloudConfig and useAzureSDK=true, but schema doesn’t enforce it. Add CEL to prevent misconfig.
• Also ensure WorkloadIdentity implies serviceAccountRef is set.
• Description mentions “UseAzureSDK” (uppercase U) while field is useAzureSDK.

Apply (indent under provider.azurekv schema):

           properties:
             authType:
               ...
+          x-kubernetes-validations:
+          - rule: "self.environmentType != 'AzureStackCloud' || has(self.customCloudConfig)"
+            message: "customCloudConfig is required when environmentType is AzureStackCloud."
+          - rule: "self.environmentType != 'AzureStackCloud' || self.useAzureSDK == true"
+            message: "useAzureSDK must be true for AzureStackCloud."
+          - rule: "self.authType != 'WorkloadIdentity' || has(self.serviceAccountRef)"
+            message: "serviceAccountRef is required for WorkloadIdentity."

Optionally fix casing in the customCloudConfig description to reference “useAzureSDK”.

Also applies to: 842-850, 891-897

🤖 Prompt for AI Agents

In bundle/manifests/external-secrets.io_secretstores.yaml around lines 809-836
(also apply same changes at 842-850 and 891-897), add CEL validation rules under
the provider.azurekv schema: (1) enforce that when environmentType ==
"AzureStackCloud" then customCloudConfig is present and useAzureSDK == true; (2)
enforce that when workloadIdentity == true then serviceAccountRef is present
(non-empty). Also update the customCloudConfig description text to use the
correct field casing "useAzureSDK" instead of "UseAzureSDK". Ensure the CEL
expressions are attached to the schema validation block so they reject invalid
combinations rather than relying on docs.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

GCP Workload Identity Federation: require audience and a single token source.

• When serviceAccountRef or awsSecurityCredentials is set, audience should be mandatory (per description).
• Make exactly one of credConfig, serviceAccountRef, awsSecurityCredentials required to avoid ambiguous config.

Apply (indent under gcpsm.auth.workloadIdentityFederation):

         properties:
           audience:
             type: string
           awsSecurityCredentials:
             ...
           credConfig:
             ...
           serviceAccountRef:
             ...
+        x-kubernetes-validations:
+        - rule: "(has(self.serviceAccountRef) || has(self.awsSecurityCredentials)) ? (has(self.audience)) : true"
+          message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."
+        - rule: "int(has(self.credConfig)) + int(has(self.serviceAccountRef)) + int(has(self.awsSecurityCredentials)) == 1"
+          message: "Configure exactly one of credConfig, serviceAccountRef, or awsSecurityCredentials."

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In bundle/manifests/external-secrets.io_secretstores.yaml around lines
1948-2068, the workloadIdentityFederation schema must enforce that exactly one
token source is provided and that audience is mandatory when serviceAccountRef
or awsSecurityCredentials is used; implement this by replacing the current flat
properties/required for workloadIdentityFederation with a oneOf at that object
level: (1) a variant requiring credConfig (and no
serviceAccountRef/awsSecurityCredentials), (2) a variant requiring
serviceAccountRef and audience in its required list, and (3) a variant requiring
awsSecurityCredentials and audience in its required list; keep the existing
property definitions but reference them in each oneOf variant so validation
enforces exactly one token source and audience requirement for the two variants
that need it.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

CAS must only be allowed with Vault KV v2. Add CEL guard.

checkAndSet is v2-only, but the CRD doesn’t enforce version=v2.

Apply (indent under provider.vault schema):

         properties:
           version:
             enum: [v1, v2]
             ...
+        x-kubernetes-validations:
+        - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+          message: "checkAndSet is only supported with Vault KV v2."

Also applies to: 4998-5005

🤖 Prompt for AI Agents

bundle/manifests/external-secrets.io_secretstores.yaml around lines 4881-4892
(and also apply same change at 4998-5005): the CRD currently allows checkAndSet
for any Vault version — add a CEL validation so checkAndSet is only accepted
when provider.vault.version == "v2". Under the provider.vault schema (indent at
the same level as properties), add an x-kubernetes-validations (or validation
with expression) entry with a rule like: allow when
self.provider.vault.checkAndSet is null OR self.provider.vault.version == "v2"
(e.g. expression: self.provider.vault.checkAndSet == null ||
self.provider.vault.version == "v2"), and provide a clear message explaining
that checkAndSet is only supported for Vault KV v2. Ensure the same validation
is added at lines ~4998-5005 as requested.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Enforce AzureStackCloud requirements with CEL to prevent misconfiguration.

The CRD schema documents that AzureStackCloud requires both customCloudConfig and useAzureSDK=true, but these constraints aren't enforced. Add x-kubernetes-validations at the azurekv level:

+            x-kubernetes-validations:
+              - rule: "self.environmentType != 'AzureStackCloud' || (has(self.customCloudConfig) && self.useAzureSDK == true)"
+                message: "AzureStackCloud requires customCloudConfig and useAzureSDK=true."
+              - rule: "!has(self.customCloudConfig) || self.useAzureSDK == true"
+                message: "customCloudConfig requires useAzureSDK=true."

Important: This file is auto-generated. Apply changes to the Go struct source annotations (not directly to the CRD YAML) and regenerate, or confirm the project supports manual CRD edits. Verify your cluster supports CEL validation rules (Kubernetes 1.25+, GA in 1.26+). Also applies to the SecretStore CRD file at similar locations.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In
config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml
around lines 765-789, the CRD documents that EnvironmentType == AzureStackCloud
requires customCloudConfig and UseAzureSDK==true but does not enforce it; add
x-kubernetes-validations (CEL) at the azurekv/azurekv-level to require that when
.spec.environmentType == "AzureStackCloud" then .spec.customCloudConfig is
present and .spec.useAzureSDK == true. Do not edit the generated YAML directly —
add the corresponding validation annotations to the Go struct tags/comments used
to generate this CRD, regenerate the CRD YAML, and apply the same change to the
SecretStore CRD at the equivalent location; ensure cluster Kubernetes version
supports CEL validations before enabling.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Vault CAS: restrict to KV v2 and set defaults

CAS applies only to KV v2. Without gating, users on KV v1 can set checkAndSet and get confusing behavior.

• Gate checkAndSet to version v2 via CEL.
• Default required to false to avoid accidental enforcement.

         vault:
           properties:
             ...
             version:
               enum: [v1, v2]
             ...
             checkAndSet:
               description: ...
               properties:
                 required:
-                  type: boolean
+                  type: boolean
+                  default: false
+            x-kubernetes-validations:
+              - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+                message: "checkAndSet is only supported for Vault KV v2."

Also applies to: 4685-4693

🤖 Prompt for AI Agents

In
config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml
around lines 4571-4581 (and similarly 4685-4693), the CheckAndSet schema allows
users to set checkAndSet for any Vault KV version and leaves the required field
without a default; add a CEL validation to gate checkAndSet to only allow when
the store version equals "v2" (e.g., using x-kubernetes-validations with a CEL
expression that checks spec.vault?.kv?.version == "v2" or the appropriate path
in this CRD) and set the required property's default to false (add default:
false under that property). Apply the same changes to the other referenced block
(4685-4693) so CAS is restricted to KV v2 and required defaults to false.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove unused variable or enforce working directory.

REPO_ROOT is defined but never used. Functions assume execution from the repository root (e.g., line 129: make update-operand-manifests, line 149: config/manifests/bases/...). If the script is invoked from a different directory, it will silently fail.

Either use REPO_ROOT consistently in all paths, or add an explicit check to enforce that the script runs from the repository root.

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 9-9: REPO_ROOT appears unused. Verify use (or export if used externally).

(SC2034)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Mask return codes in version detection pipeline.

Lines 60–61 mask pipeline exit codes. If grep fails to find the version pattern, the assignment still succeeds with an empty value, and the function continues without error detection.

Apply this fix to properly handle failures:

-    if [[ -z "$OLD_BUNDLE_VERSION" ]]; then OLD_BUNDLE_VERSION=$(grep "^VERSION" Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?'); log_info "Auto-detected OLD_BUNDLE_VERSION: $OLD_BUNDLE_VERSION"; fi
-    if [[ -z "$OLD_EXTERNAL_SECRETS_VERSION" ]]; then OLD_EXTERNAL_SECRETS_VERSION=$(grep "^EXTERNAL_SECRETS_VERSION" Makefile | cut -d'=' -f2 | tr -d ' ?'); log_info "Auto-detected OLD_EXTERNAL_SECRETS_VERSION: $OLD_EXTERNAL_SECRETS_VERSION"; fi
+    if [[ -z "$OLD_BUNDLE_VERSION" ]]; then OLD_BUNDLE_VERSION=$(grep "^VERSION" Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?') || log_error "Failed to detect OLD_BUNDLE_VERSION"; [[ -z "$OLD_BUNDLE_VERSION" ]] && exit 1; log_info "Auto-detected OLD_BUNDLE_VERSION: $OLD_BUNDLE_VERSION"; fi
+    if [[ -z "$OLD_EXTERNAL_SECRETS_VERSION" ]]; then OLD_EXTERNAL_SECRETS_VERSION=$(grep "^EXTERNAL_SECRETS_VERSION" Makefile | cut -d'=' -f2 | tr -d ' ?') || log_error "Failed to detect OLD_EXTERNAL_SECRETS_VERSION"; [[ -z "$OLD_EXTERNAL_SECRETS_VERSION" ]] && exit 1; log_info "Auto-detected OLD_EXTERNAL_SECRETS_VERSION: $OLD_EXTERNAL_SECRETS_VERSION"; fi

Or use PIPEFAIL (already enabled on line 2) by checking the final result:

+    if [[ -z "$OLD_BUNDLE_VERSION" ]]; then 
+      OLD_BUNDLE_VERSION=$(grep "^VERSION" Makefile | head -1 | cut -d'=' -f2 | tr -d ' ?')
+      if [[ -z "$OLD_BUNDLE_VERSION" ]]; then log_error "Failed to detect OLD_BUNDLE_VERSION from Makefile"; exit 1; fi
+      log_info "Auto-detected OLD_BUNDLE_VERSION: $OLD_BUNDLE_VERSION"
+    fi

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use platform-independent sed syntax to avoid macOS incompatibility.

The sed -i command requires different syntax on macOS (needs a backup extension). Lines 110 and 112 will fail on macOS systems. Use either sed -i'' or sed -i.bak with cleanup, or use a cross-platform alternative like perl -i.

Apply this fix to ensure cross-platform compatibility:

-    sed -i "s/^VERSION ?= $OLD_BUNDLE_VERSION/VERSION ?= $NEW_BUNDLE_VERSION/" Makefile
+    sed -i.bak "s/^VERSION ?= $OLD_BUNDLE_VERSION/VERSION ?= $NEW_BUNDLE_VERSION/" Makefile && rm -f Makefile.bak

Or use perl:

-    sed -i "s/^VERSION ?= $OLD_BUNDLE_VERSION/VERSION ?= $NEW_BUNDLE_VERSION/" Makefile
+    perl -i -pe "s/^VERSION \?= $OLD_BUNDLE_VERSION/VERSION ?= $NEW_BUNDLE_VERSION/" Makefile

Also applies to: 112-112

🤖 Prompt for AI Agents

In rebase-automation.sh around lines 110 and 112, the sed -i usage is
macOS-incompatible; replace those in-place sed calls with a cross-platform
alternative (either use sed -i'' or sed -i.bak followed by removing the .bak
files, or switch to perl -i with the same substitution expression) so the
Makefile VERSION substitution works on both Linux and macOS; update both lines
to use your chosen portable invocation and, if using .bak, add cleanup to remove
backups.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add error handling for missing CSV file path.

Line 149 hardcodes the CSV file path without checking existence. If the file is missing or renamed, the script silently skips step 4 with no diagnostic output.

Apply this fix:

     local csv_file="config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml"
     if [[ -f "$csv_file" ]]; then
         log_info "Updating $csv_file"
+    else
+        log_error "CSV file not found: $csv_file"
+        return 1
     fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	local csv_file="config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml"
	if [[ -f "$csv_file" ]]; then
	log_info "Updating $csv_file"
	sed -i "s/version: $OLD_BUNDLE_VERSION/version: $NEW_BUNDLE_VERSION/" "$csv_file"
	sed -i "s/name: external-secrets-operator\.v$OLD_BUNDLE_VERSION/name: external-secrets-operator.v$NEW_BUNDLE_VERSION/" "$csv_file"
	if grep -q "replaces:" "$csv_file"; then
	sed -i "s/replaces: external-secrets-operator\.v[0-9]\+\.[0-9]\+\.[0-9]\+/replaces: external-secrets-operator.v$OLD_BUNDLE_VERSION/" "$csv_file"
	else
	if [[ "$OLD_BUNDLE_VERSION" != "0.0.0" ]]; then
	sed -i "/name: external-secrets-operator\.v$NEW_BUNDLE_VERSION/a\ replaces: external-secrets-operator.v$OLD_BUNDLE_VERSION" "$csv_file"
	fi
	fi
	sed -i "s/olm\.skipRange: <[0-9]\+\.[0-9]\+\.[0-9]\+/olm.skipRange: <$NEW_BUNDLE_VERSION/" "$csv_file"
	fi
	local csv_file="config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml"
	if [[ -f "$csv_file" ]]; then
	log_info "Updating $csv_file"
	sed -i "s/version: $OLD_BUNDLE_VERSION/version: $NEW_BUNDLE_VERSION/" "$csv_file"
	sed -i "s/name: external-secrets-operator\.v$OLD_BUNDLE_VERSION/name: external-secrets-operator.v$NEW_BUNDLE_VERSION/" "$csv_file"
	if grep -q "replaces:" "$csv_file"; then
	sed -i "s/replaces: external-secrets-operator\.v[0-9]\+\.[0-9]\+\.[0-9]\+/replaces: external-secrets-operator.v$OLD_BUNDLE_VERSION/" "$csv_file"
	else
	if [[ "$OLD_BUNDLE_VERSION" != "0.0.0" ]]; then
	sed -i "/name: external-secrets-operator\.v$NEW_BUNDLE_VERSION/a\ replaces: external-secrets-operator.v$OLD_BUNDLE_VERSION" "$csv_file"
	fi
	fi
	sed -i "s/olm\.skipRange: <[0-9]\+\.[0-9]\+\.[0-9]\+/olm.skipRange: <$NEW_BUNDLE_VERSION/" "$csv_file"
	else
	log_error "CSV file not found: $csv_file"
	return 1
	fi

🤖 Prompt for AI Agents

In rebase-automation.sh around lines 149 to 162, the script currently wraps
edits in an if [[ -f "$csv_file" ]]; then ... fi but provides no feedback when
the CSV is missing; add explicit error handling in the else branch: log an error
(e.g., log_error "CSV file not found: $csv_file") and exit with a non-zero
status (exit 1) so the pipeline fails fast and the missing/renamed CSV is
clearly reported.

[PillaiManish]

/retest

[siddhibhor-56]

/retest

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (5)

pkg/operator/assets/bindata.go (1)

564-665: ClusterRole grants update/patch on all Namespaces — reduce scope or document

The ClusterRole "external-secrets-controller" adds verbs update/patch on core namespaces, allowing cluster‑wide mutation of Namespace objects — a significant privilege increase.

• Confirm exactly which Namespace fields the controller modifies and why.
• Limit scope if possible (e.g., avoid blanket update/patch on all namespaces; use Role/RoleBinding, restrict to specific fields via admission controls, or feature‑gate the behavior).
• Document the expanded privilege in admin-facing docs and release notes; reference the related security work (CVE-2025-55196 / PRs #5109, #5133) as necessary.

File: pkg/operator/assets/bindata.go — ClusterRole external-secrets-controller (namespaces rule).

bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (4)

720-725: Blocker: CSV still pins operand/operator to old versions.

• OPERATOR_IMAGE_VERSION should be 1.1.0.
• RELATED_IMAGE_EXTERNAL_SECRETS and OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION should be v0.20.1.

Apply:

-                - name: OPERATOR_IMAGE_VERSION
-                  value: 1.0.0
+                - name: OPERATOR_IMAGE_VERSION
+                  value: 1.1.0
-                - name: RELATED_IMAGE_EXTERNAL_SECRETS
-                  value: oci.external-secrets.io/external-secrets/external-secrets:v0.19.0
+                - name: RELATED_IMAGE_EXTERNAL_SECRETS
+                  value: oci.external-secrets.io/external-secrets/external-secrets:v0.20.1
-                - name: OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION
-                  value: 0.19.0
+                - name: OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION
+                  value: 0.20.1

---

817-819: Blocker: relatedImages not aligned with v0.20.1.

Update the external-secrets related image to v0.20.1 to match the deployment manifests.

-  - image: oci.external-secrets.io/external-secrets/external-secrets:v0.19.0
+  - image: oci.external-secrets.io/external-secrets/external-secrets:v0.20.1

---

551-569: Add cloudsmithaccesstokens to generators RBAC in CSV.

The Cloudsmith generator (CloudsmithAccessToken) is a built-in generator type that exchanges OIDC tokens for Cloudsmith access tokens but is missing from the RBAC configuration. Add it to the generators.external-secrets.io resources:

         - apiGroups:
           - generators.external-secrets.io
           resources:
             - acraccesstokens
+            - cloudsmithaccesstokens
             - clustergenerators
             - ecrauthorizationtokens

---

330-351: Add CloudsmithAccessToken to spec.customresourcedefinitions.owned if shipping this generator.

CloudsmithAccessToken is a documented generator in external-secrets that creates short-lived Cloudsmith registry credentials via OIDC. It follows the same pattern as other generators already listed (GCRAccessToken, GithubAccessToken, etc.). Verify whether this version of the bundle includes Cloudsmith support; if so, add:

+    - description: CloudsmithAccessToken generates a Cloudsmith OIDC access token.
+      displayName: CloudsmithAccessToken
+      kind: CloudsmithAccessToken
+      name: cloudsmithaccesstokens.generators.external-secrets.io
+      version: v1alpha1

If this generator is not included in this release, confirm OLM has proper dependency handling for any downstream deployments that may reference it.

♻️ Duplicate comments (7)

bundle/manifests/external-secrets.io_secretstores.yaml (3)

809-835: Add CEL to enforce AzureStack invariants and WorkloadIdentity SA; fix doc casing.

Schema allows invalid combos: AzureStackCloud without customCloudConfig/useAzureSDK, and WorkloadIdentity without serviceAccountRef. Enforce via CEL and fix description to reference useAzureSDK (lowercase), not UseAzureSDK.

@@
                   azurekv:
                     description: AzureKV configures this store to sync secrets using
                       Azure Key Vault provider
                     properties:
@@
-                      customCloudConfig:
+                      customCloudConfig:
                         description: |-
                           CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
                           Required when EnvironmentType is AzureStackCloud.
-                          IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
+                          IMPORTANT: This feature REQUIRES useAzureSDK to be set to true. Custom cloud
                           configuration is not supported with the legacy go-autorest SDK.
@@
                       environmentType:
@@
-                          PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
+                          PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
                           Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
@@
-                      useAzureSDK:
+                      useAzureSDK:
                         default: false
                         description: |-
                           UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
                           This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
                         type: boolean
+                    x-kubernetes-validations:
+                    - rule: "self.environmentType != 'AzureStackCloud' || has(self.customCloudConfig)"
+                      message: "customCloudConfig is required when environmentType is AzureStackCloud."
+                    - rule: "self.environmentType != 'AzureStackCloud' || self.useAzureSDK == true"
+                      message: "useAzureSDK must be true for AzureStackCloud."
+                    - rule: "self.authType != 'WorkloadIdentity' || has(self.serviceAccountRef)"
+                      message: "serviceAccountRef is required for WorkloadIdentity."

Also applies to: 842-849, 891-896

---

1948-2068: GCP WIF: require audience when SA/AWS is used and force exactly one token source.

Docs state audience is mandatory with serviceAccountRef or awsSecurityCredentials, but schema doesn’t enforce it. Also multiple token sources can be set at once. Add CEL guards.

@@
-                          workloadIdentityFederation:
+                          workloadIdentityFederation:
                             description: GCPWorkloadIdentityFederation holds the configurations
                               required for generating federated access tokens.
                             properties:
                               audience:
@@
                               serviceAccountRef:
@@
-                            type: object
+                            type: object
+                          x-kubernetes-validations:
+                          - rule: "(has(self.serviceAccountRef) || has(self.awsSecurityCredentials)) ? has(self.audience) : true"
+                            message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."
+                          - rule: "int(has(self.credConfig)) + int(has(self.serviceAccountRef)) + int(has(self.awsSecurityCredentials)) == 1"
+                            message: "Configure exactly one of credConfig, serviceAccountRef, or awsSecurityCredentials."

---

4881-4892: Vault CAS must only be allowed with KV v2. Add guard.

checkAndSet is v2-only; schema allows it with v1. Prevent misconfig with CEL at provider.vault level.

@@
                   vault:
                     description: Vault configures this store to sync secrets using
                       Hashi provider
                     properties:
@@
-                      checkAndSet:
+                      checkAndSet:
                         description: |-
                           CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
                           Only applies to Vault KV v2 stores. When enabled, write operations must include
                           the current version of the secret to prevent unintentional overwrites.
@@
-                        type: object
+                        type: object
+                    x-kubernetes-validations:
+                    - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+                      message: "checkAndSet is only supported with Vault KV v2."
@@
                       version:
                         default: v2

Also applies to: 4998-5005

config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (3)

765-788: Azure Stack coupling not enforced (add CEL).

Docs say AzureStackCloud requires customCloudConfig and useAzureSDK=true; schema doesn’t enforce. Add validations to prevent misconfig.

           properties:
             ...
             vaultUrl:
               description: Vault Url from which the secrets to be fetched from.
               type: string
+          x-kubernetes-validations:
+            - rule: "self.environmentType != 'AzureStackCloud' || (has(self.customCloudConfig) && has(self.customCloudConfig.activeDirectoryEndpoint) && self.useAzureSDK == true)"
+              message: "When environmentType is AzureStackCloud, set useAzureSDK=true and provide customCloudConfig.activeDirectoryEndpoint."
+            - rule: "!has(self.customCloudConfig) || self.environmentType == 'AzureStackCloud'"
+              message: "customCloudConfig is only supported with environmentType AzureStackCloud."
           required:
             - vaultUrl

Also applies to: 790-803, 840-845, 846-851

---

1815-1927: GCPSM workloadIdentityFederation: make audience conditionally required.

Enforce audience when serviceAccountRef or awsSecurityCredentials is set.

         workloadIdentityFederation:
           description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
           properties:
             audience:
               description: |-
                 audience is the Secure Token Service (STS) audience ...
               type: string
             ...
-          type: object
+          x-kubernetes-validations:
+            - rule: "(has(self.serviceAccountRef) || has(self.awsSecurityCredentials)) ? (has(self.audience) && size(self.audience) > 0) : true"
+              message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."
+          type: object

---

4570-4581: Vault CAS: restrict to KV v2 and default required=false.

Prevent CAS on KV v1 and set safe default.

         vault:
           properties:
             ...
-            checkAndSet:
+            checkAndSet:
               description: |-
                 CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
                 Only applies to Vault KV v2 stores. When enabled, write operations must include
                 the current version of the secret to prevent unintentional overwrites.
               properties:
                 required:
                   description: |-
                     Required when true, all write operations must include a check-and-set parameter.
                     This helps prevent unintentional overwrites of secrets.
-                  type: boolean
+                  type: boolean
+                  default: false
               type: object
+          x-kubernetes-validations:
+            - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+              message: "checkAndSet is only supported for Vault KV v2."
           ...
           version:
             default: v2
             description: |-
               Version is the Vault KV secret engine version...
             enum:
               - v1
               - v2
             type: string

Also applies to: 4685-4693

bundle/manifests/external-secrets.io_clustersecretstores.yaml (1)

809-835: Add CEL to enforce Azure Stack config invariants (customCloudConfig ⇄ useAzureSDK ⇄ environmentType).

customCloudConfig can be set while useAzureSDK=false or environmentType!=AzureStackCloud. This admits invalid manifests that will fail at runtime. Enforce cross-field rules at the azurekv object level.

Apply this diff (placed under spec.provider.properties.azurekv, alongside properties/required/type):

   azurekv:
     description: AzureKV configures this store to sync secrets using
       Azure Key Vault provider
     properties:
       ...
     required:
     - vaultUrl
     type: object
+    x-kubernetes-validations:
+    - rule: "!has(self.customCloudConfig) || (self.useAzureSDK == true && self.environmentType == 'AzureStackCloud')"
+      message: "customCloudConfig requires useAzureSDK: true and environmentType: AzureStackCloud."
+    - rule: "self.environmentType != 'AzureStackCloud' || has(self.customCloudConfig)"
+      message: "When environmentType is AzureStackCloud, customCloudConfig must be provided."

Optional (nice-to-have): also reject useAzureSDK=false when environmentType == AzureStackCloud for clearer UX; the first rule already covers it.

Also applies to: 836-850, 891-896

🧹 Nitpick comments (4)

config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml (1)

528-537: Be aware of operational impact of templated Secret finalizers

Allowing users to set spec.externalSecretSpec.target.template.metadata.finalizers gives them full control over finalizers on generated Secrets. That’s powerful but can cause Secrets to be stuck in deletion if a referenced finalizer controller is not present or misbehaves. This likely mirrors upstream behavior, so no change is strictly required, but you may want to ensure this is documented and operationally accepted for your environments.

bundle/manifests/external-secrets.io_externalsecrets.yaml (1)

676-681: New selectableFields require k8s 1.32+.

CSV sets minKubeVersion=1.32.0; ensure docs/channels reflect this prerequisite.

bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml (1)

741-752: Vault CAS support added — good safeguard.

checkAndSet strengthens write safety for KV v2. Consider defaulting to required=true in secured profiles, but optional is fine for compatibility.

bundle/manifests/external-secrets.io_clustersecretstores.yaml (1)

1949-2068: Enforce audience when using GCP Workload Identity Federation with SA/AWS creds.

The description says audience must be provided when serviceAccountRef or awsSecurityCredentials is configured, but the schema doesn’t enforce it. Prevents silent misconfig.

Apply this diff (under spec.provider.properties.gcpsm.properties.auth.properties.workloadIdentityFederation):

   workloadIdentityFederation:
     description: GCPWorkloadIdentityFederation holds the configurations
       required for generating federated access tokens.
     properties:
       audience:
         type: string
       awsSecurityCredentials:
         ...
       credConfig:
         ...
       externalTokenEndpoint:
         type: string
       serviceAccountRef:
         ...
     type: object
+    x-kubernetes-validations:
+    - rule: "!has(self.serviceAccountRef) && !has(self.awsSecurityCredentials) || has(self.audience)"
+      message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between bff8df4 and 07f8654.

⛔ Files ignored due to path filters (222)

• go.sum is excluded by !**/*.sum
• vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/gzip.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/gzip_go18.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/converter.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/auth/bearer/token.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/awserr/error.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/awsutil/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/client/client.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/client/metadata/client_info.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/corehandlers/handlers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/csm/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/defaults/defaults.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/endpoints/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/request/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/session/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/aws/version.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/secretsmanager/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/sso/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/aws/aws-sdk-go/service/sts/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-semver/NOTICE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-semver/semver/semver.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-semver/semver/sort.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/NOTICE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/journal/journal.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/coreos/go-systemd/v22/journal/journal_windows.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/CHANGES.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/curly.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/custom_verb.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/emicklei/go-restful/v3/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/BENCHMARK.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/convert.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/convert_types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/json.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/loading.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading/yaml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/loading_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/BENCHMARK.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/initialism_index.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_lexem.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/name_mangler.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/pools.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/split.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/string_bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/mangling_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/name_lexem.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils/net.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/netutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/path.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/split.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/string_bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/collection_formats.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils/strings.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/stringutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/typeutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/util.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yaml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/ordered_map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils/yaml.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/go-openapi/swag/yamlutils_iface.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/gogo.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/gogo.pb.golden is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/gogo.proto is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/gogoproto/helper.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/Makefile is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/descriptor.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/descriptor_gostring.gen.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/gogo/protobuf/protoc-gen-gogo/descriptor/helper.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/AUTHORS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/CONTRIBUTORS is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/buffer.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/defaults.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/deprecated.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/discard.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/extensions.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/properties.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/proto.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/registry.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/text_decode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/text_encode.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/wire.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/golang/protobuf/proto/wrappers.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/folding.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/io.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/library.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/macro.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/options.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/program.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/prompt.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/templates/authoring.tmpl is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/cel/validator.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/checker.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/cost.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/decls/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/checker/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/ast.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/factory.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/ast/navigable.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/containers/container.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/debug/debug.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/decls/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/decls/decls.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/doc.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/env/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/env/env.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/errors.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/stdlib/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/stdlib/standard.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/bool.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/bytes.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/double.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/duration.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/err.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/format.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/int.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/list.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/map.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/null.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/object.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/optional.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/pb/type.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/string.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/timestamp.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/types.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/google/cel-go/common/types/uint.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (78)

• Makefile (1 hunks)
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml (2 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml (3 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml (2 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml (1 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml (2 hunks)
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml (1 hunks)
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml (1 hunks)
• bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml (2 hunks)
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml (3 hunks)
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml (3 hunks)
• bindata/external-secrets/resources/deployment_external-secrets.yml (3 hunks)
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml (1 hunks)
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml (1 hunks)
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/service_bitwarden-sdk-server.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-metrics.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_bitwarden-sdk-server.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml (1 hunks)
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml (1 hunks)
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml (1 hunks)
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (4 hunks)
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml (4 hunks)
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml (3 hunks)
• bundle/manifests/external-secrets.io_clustersecretstores.yaml (15 hunks)
• bundle/manifests/external-secrets.io_externalsecrets.yaml (5 hunks)
• bundle/manifests/external-secrets.io_pushsecrets.yaml (3 hunks)
• bundle/manifests/external-secrets.io_secretstores.yaml (15 hunks)
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml (6 hunks)
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_grafanas.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_mfas.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_passwords.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_sshkeys.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_uuids.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_webhooks.yaml (1 hunks)
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (3 hunks)
• bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml (3 hunks)
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml (4 hunks)
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml (6 hunks)
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml (3 hunks)
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml (15 hunks)
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml (5 hunks)
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml (3 hunks)
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (15 hunks)
• config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_uuids.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml (3 hunks)
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml (3 hunks)
• config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml (3 hunks)
• go.mod (8 hunks)
• pkg/controller/external_secrets/deployments_test.go (1 hunks)
• pkg/operator/assets/bindata.go (37 hunks)

🚧 Files skipped from review as they are similar to previous changes (42)

• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml
• bundle/manifests/generators.external-secrets.io_webhooks.yaml
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml
• bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml
• pkg/controller/external_secrets/deployments_test.go
• bindata/external-secrets/resources/service_external-secrets-metrics.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml
• bindata/external-secrets/resources/deployment_external-secrets.yml
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml
• bindata/external-secrets/resources/serviceaccount_bitwarden-sdk-server.yml
• bundle/manifests/generators.external-secrets.io_sshkeys.yaml
• bindata/external-secrets/resources/service_external-secrets-webhook.yml
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_grafanas.yaml
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml
• bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml
• config/crd/bases/customresourcedefinition_uuids.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_passwords.yaml
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml
• bundle/manifests/generators.external-secrets.io_mfas.yaml
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml
• bindata/external-secrets/resources/service_bitwarden-sdk-server.yml
• bundle/manifests/external-secrets.io_pushsecrets.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_uuids.yaml
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml
• config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml
• go.mod
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml
• Makefile
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml
• bundle/manifests/external-secrets.io_secretstores.yaml
• pkg/operator/assets/bindata.go
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml
• config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml
• bundle/manifests/external-secrets.io_externalsecrets.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml
• bundle/manifests/external-secrets.io_clustersecretstores.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Gate Vault Check-And-Set to KV v2 only.

CAS only applies to Vault KV v2. Currently users can set checkAndSet with version=v1, leading to confusing write errors. Add a schema rule under the vault object.

Apply this diff (under spec.provider.properties.vault, alongside properties/required/type):

   vault:
     description: Vault configures this store to sync secrets using
       Hashi provider
     properties:
       ...
       version:
         default: v2
         enum:
         - v1
         - v2
         type: string
     required:
     - server
     type: object
+    x-kubernetes-validations:
+    - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+      message: "checkAndSet is supported only with Vault KV v2."

Also applies to: 4998-5005

[openshift-ci-robot]

@siddhibhor-56: This pull request references ESO-267 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml (1)

87-101: Re-evaluate need for cluster-wide namespaces write permissions

This new rule grants the controller update and patch on all namespaces cluster‑wide. That’s a powerful permission surface and a notable security posture change.

If this is required (e.g., to manage labels/annotations for integration), consider:

• Documenting the exact operations the controller performs on namespaces, and/or
• Exploring whether this can be constrained (e.g., to specific namespaces via a Role or alternate mechanism) to better adhere to least‑privilege.

At minimum, please double‑check the upstream rationale and confirm this level of access is intentional and acceptable for OpenShift clusters.

♻️ Duplicate comments (14)

rebase-automation.sh (4)

8-15: REPO_ROOT is unused and script assumes repo-root working directory

REPO_ROOT is defined but never used, and all operations reference Makefile, config/manifests/..., etc. relative to the current directory. If the script is run from outside the repo root, it will fail in non-obvious ways.

Either:

• cd "$REPO_ROOT" early in main, or
• Remove REPO_ROOT and explicitly document that the script must be invoked from the repo root.

---

58-68: Harden auto-detection of OLD_ versions from Makefile*

grep | cut | tr chains are used to populate OLD_BUNDLE_VERSION and OLD_EXTERNAL_SECRETS_VERSION, but failures (no match, format drift) just yield empty strings that only get caught by the final combined if [[ -z ... ]] check. That makes it harder to see which lookup failed and why.

Consider:

• Checking each lookup separately and logging a specific error before exiting, and/or
• Validating the detected value against a simple version pattern before proceeding.

---

101-119: sed -i is not portable across macOS and Linux

The in-place sed calls rely on GNU sed (sed -i ...), which will fail on macOS unless a backup suffix is provided (e.g. -i '' or -i.bak). To keep the script usable for contributors on macOS, please switch to a portable pattern, such as:

sed -i.bak "s/^VERSION ?= $OLD_BUNDLE_VERSION/VERSION ?= $NEW_BUNDLE_VERSION/" Makefile && rm -f Makefile.bak
sed -i.bak "s|^EXTERNAL_SECRETS_VERSION ?= $OLD_EXTERNAL_SECRETS_VERSION|EXTERNAL_SECRETS_VERSION ?= $NEW_EXTERNAL_SECRETS_VERSION|" Makefile && rm -f Makefile.bak

---

139-168: CSV update silently no-ops when file is missing

If config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml does not exist, the function just skips updates and still logs “Step 4 completed”, which is misleading and can mask packaging issues.

Add an else branch to the if [[ -f "$csv_file" ]] guard that logs an error and returns non‑zero (or exits), so failures in this critical asset are visible:

local csv_file="config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml"
if [[ -f "$csv_file" ]]; then
    # existing sed updates...
else
    log_error "CSV file not found: $csv_file"
    return 1
fi

config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml (1)

642-851: Enforce AzureStackCloud + customCloudConfig/useAzureSDK invariants via CEL validation

azurekv.environmentType, customCloudConfig, and useAzureSDK are only documented, not enforced. Users can set environmentType: AzureStackCloud without customCloudConfig or useAzureSDK: true, or set customCloudConfig while leaving useAzureSDK false, leading to hard‑to‑diagnose runtime failures.

Add CEL validations at the azurekv object level so misconfigurations are rejected at admission time, e.g.:

                     azurekv:
                       description: AzureKV configures this store to sync secrets using Azure Key Vault provider
                       properties:
                         authSecretRef:
                           ...
                         authType:
                           ...
-                        customCloudConfig:
+                        customCloudConfig:
                           ...
                         environmentType:
                           ...
                         identityId:
                           ...
                         tenantId:
                           ...
-                        useAzureSDK:
+                        useAzureSDK:
                           ...
                         vaultUrl:
                           ...
                       required:
                         - vaultUrl
-                      type: object
+                      type: object
+                      x-kubernetes-validations:
+                        - rule: "self.environmentType != 'AzureStackCloud' || (has(self.customCloudConfig) && self.useAzureSDK == true)"
+                          message: "AzureStackCloud requires customCloudConfig and useAzureSDK=true."
+                        - rule: "!has(self.customCloudConfig) || self.useAzureSDK == true"
+                          message: "customCloudConfig requires useAzureSDK=true."

Important:

• This YAML is generated; add the corresponding +kubebuilder:validation:XValidation annotations to the Go type for the AzureKV provider (both ClusterSecretStore and SecretStore) and regenerate CRDs rather than editing this file directly.
• Ensure the minimum supported Kubernetes version for this operator has CEL (x-kubernetes-validations) enabled (1.25+, GA in 1.26+).

bundle/manifests/external-secrets.io_clustersecretstores.yaml (2)

809-835: Add CEL validations to gate Azure customCloudConfig to useAzureSDK=true and environmentType=AzureStackCloud.

Right now nothing prevents users from setting customCloudConfig with the legacy SDK (useAzureSDK=false) or with a non‑AzureStackCloud environment, which upstream docs say is invalid and will fail at runtime. Please enforce this at schema level with x-kubernetes-validations on the azurekv object.

Example patch (v1 schema, under spec.properties.provider.properties.azurekv):

   azurekv:
     description: AzureKV configures this store to sync secrets using
       Azure Key Vault provider
     properties:
@@
       useAzureSDK:
         default: false
@@
         type: boolean
       vaultUrl:
         description: Vault Url from which the secrets to be fetched
           from.
         type: string
+    x-kubernetes-validations:
+    - rule: "!has(self.customCloudConfig) || self.useAzureSDK == true"
+      message: "customCloudConfig requires useAzureSDK=true (azcore-based Azure SDK)."
+    - rule: "!has(self.customCloudConfig) || self.environmentType == 'AzureStackCloud'"
+      message: "customCloudConfig is only supported with environmentType=AzureStackCloud."

(Apply equivalent rules wherever this Azure customCloudConfig appears in other CRDs in this PR to keep behavior consistent.)

Also applies to: 836-850, 891-896

---

4880-4891: Gate Vault checkAndSet to KV v2 with x-kubernetes-validations (both v1 and v1beta1 schemas).

checkAndSet only makes sense for Vault KV v2. As it stands, users can set checkAndSet while version: v1, which will only surface as confusing Vault write errors at runtime. This should be rejected by CRD validation.

For the v1 schema (top versions[].name: v1, under spec.properties.provider.properties.vault):

   vault:
@@
     required:
     - server
-    type: object
+    type: object
+    x-kubernetes-validations:
+    - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+      message: "checkAndSet is supported only with Vault KV v2."

For the deprecated v1beta1 schema (bottom versions[].name: v1beta1, under its own spec.properties.provider.properties.vault), add the same x-kubernetes-validations block under that vault object as well to keep the API surface coherent.

Also applies to: 4997-5005, 8852-9645

config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml (1)

6-6: v1 vs v1beta1 schema drift for Cloudsmith, finalizers, and selectableFields

v1 now exposes CloudsmithAccessToken in both generatorRef.kind enums, adds template.metadata.finalizers[], and defines selectableFields, but the deprecated v1beta1 schema still lacks these additions. Even though v1beta1 is served: false and storage: false, keeping its schema in sync with v1 (same enum members, finalizers field, and selectableFields) would avoid confusion and reduce future maintenance work.

If you plan to keep v1beta1 around, consider mirroring the v1 changes into its OpenAPI schema.

Also applies to: 135-153, 353-371, 511-514, 650-654, 771-787, 954-978, 1112-1122

config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (3)

765-788: Azure Stack: schema still doesn’t enforce required coupling between environmentType, customCloudConfig, and useAzureSDK

Docs say AzureStackCloud requires customCloudConfig and useAzureSDK=true, but the CRD only documents this in descriptions. Misconfigurations (e.g., environmentType: AzureStackCloud without customCloudConfig or with useAzureSDK: false, or customCloudConfig set for non‑AzureStackCloud) will only fail at runtime.

Add CEL validations under spec.provider.azurekv to enforce this:

   azurekv:
     description: AzureKV configures this store to sync secrets using Azure Key Vault provider
     properties:
@@
       useAzureSDK:
         default: false
         description: |-
           UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
           This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
         type: boolean
+    x-kubernetes-validations:
+      - rule: "self.environmentType != 'AzureStackCloud' || (has(self.customCloudConfig) && has(self.customCloudConfig.activeDirectoryEndpoint) && self.useAzureSDK == true)"
+        message: "When environmentType is AzureStackCloud, set useAzureSDK=true and provide customCloudConfig.activeDirectoryEndpoint."
+      - rule: "!has(self.customCloudConfig) || self.environmentType == 'AzureStackCloud'"
+        message: "customCloudConfig is only supported with environmentType AzureStackCloud."

(If you prefer, add equivalent +kubebuilder:validation:XValidation to the Go type and regenerate the CRD.)

Also applies to: 789-803, 840-845

---

1815-1927: GCP workloadIdentityFederation: audience requirement is still not enforced by schema

The description states audience is mandatory when serviceAccountRef or awsSecurityCredentials is set, but the CRD doesn’t enforce that. Users can submit invalid resources that only fail at runtime.

Add CEL validations under spec.provider.gcpsm.auth.workloadIdentityFederation:

         workloadIdentityFederation:
           description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
           properties:
             audience:
@@
             serviceAccountRef:
               ...
           type: object
+          x-kubernetes-validations:
+            - rule: "(has(self.serviceAccountRef) || has(self.awsSecurityCredentials)) ? (has(self.audience) && self.audience != '') : true"
+              message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."

You can also encode this as +kubebuilder:validation:XValidation on the Go type and regenerate.

---

4570-4581: Vault CAS: still not gated to KV v2 and required lacks a safe default

checkAndSet is documented as “Only applies to Vault KV v2”, but the schema allows it for any version. Also, required has no default, so users may unintentionally enable strict CAS semantics.

To align behavior with docs and reduce surprises:

         vault:
           properties:
@@
-        checkAndSet:
-          description: |-
-            CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
-            Only applies to Vault KV v2 stores. When enabled, write operations must include
-            the current version of the secret to prevent unintentional overwrites.
-          properties:
-            required:
-              description: |-
-                Required when true, all write operations must include a check-and-set parameter.
-                This helps prevent unintentional overwrites of secrets.
-              type: boolean
-          type: object
+        checkAndSet:
+          description: |-
+            CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
+            Only applies to Vault KV v2 stores. When enabled, write operations must include
+            the current version of the secret to prevent unintentional overwrites.
+          properties:
+            required:
+              description: |-
+                Required when true, all write operations must include a check-and-set parameter.
+                This helps prevent unintentional overwrites of secrets.
+              type: boolean
+              default: false
+          type: object
+      x-kubernetes-validations:
+        - rule: "!has(self.vault) || !has(self.vault.checkAndSet) || self.vault.version == 'v2'"
+          message: "Vault checkAndSet is only supported for KV version v2."

(Adjust the CEL path if you prefer attaching the validation closer to the vault block.)

bundle/manifests/external-secrets.io_secretstores.yaml (3)

809-835: Enforce AzureStack & WorkloadIdentity invariants with CEL; fix doc casing

The new customCloudConfig, environmentType=AzureStackCloud, and useAzureSDK wiring is only documented, not enforced. Misconfig (AzureStackCloud without customCloudConfig or with useAzureSDK=false) will fail at runtime. Likewise, authType=WorkloadIdentity should require serviceAccountRef. Also the description still uses EnvironmentType/UseAzureSDK instead of the actual field names.

Add CEL validations under provider.azurekv and align the docs, e.g.:

       authType:
         ...
         type: string
+      x-kubernetes-validations:
+      - rule: "self.environmentType != 'AzureStackCloud' || has(self.customCloudConfig)"
+        message: "customCloudConfig is required when environmentType is AzureStackCloud."
+      - rule: "self.environmentType != 'AzureStackCloud' || self.useAzureSDK == true"
+        message: "useAzureSDK must be true for AzureStackCloud."
+      - rule: "self.authType != 'WorkloadIdentity' || has(self.serviceAccountRef)"
+        message: "serviceAccountRef is required for WorkloadIdentity."
@@
-        description: |-
-          CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
-          Required when EnvironmentType is AzureStackCloud.
-          IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
+        description: |-
+          CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
+          Required when environmentType is AzureStackCloud.
+          IMPORTANT: This feature REQUIRES useAzureSDK to be set to true. Custom cloud

Also applies to: 836-850, 891-896

---

1948-2068: GCP Workload Identity Federation: enforce audience & single token source

workloadIdentityFederation documents that audience is required when serviceAccountRef or awsSecurityCredentials is used and implies exactly one of credConfig, serviceAccountRef, awsSecurityCredentials should be set, but the schema does not enforce this. Invalid combinations will be accepted by the API and fail later.

Add CEL validations at the workloadIdentityFederation object level:

       workloadIdentityFederation:
         description: GCPWorkloadIdentityFederation holds the configurations
           required for generating federated access tokens.
         properties:
           audience:
             ...
           awsSecurityCredentials:
             ...
           credConfig:
             ...
           serviceAccountRef:
             ...
+        x-kubernetes-validations:
+        - rule: "(has(self.serviceAccountRef) || has(self.awsSecurityCredentials)) ? has(self.audience) : true"
+          message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."
+        - rule: "int(has(self.credConfig)) + int(has(self.serviceAccountRef)) + int(has(self.awsSecurityCredentials)) == 1"
+          message: "Configure exactly one of credConfig, serviceAccountRef, or awsSecurityCredentials."
         type: object

---

4880-4891: Restrict Vault checkAndSet to KV v2 via CEL

checkAndSet is documented as “Only applies to Vault KV v2 stores” but the schema allows it for any version. That can produce confusing behavior when users set CAS on v1 engines.

Add an object-level validation under provider.vault:

       caProvider:
         ...
         type: object
+      x-kubernetes-validations:
+      - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+        message: "checkAndSet is only supported with Vault KV v2."
       checkAndSet:
         description: |-
           CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
           Only applies to Vault KV v2 stores. When enabled, write operations must include
           the current version of the secret to prevent unintentional overwrites.

(Apply the same validation in the v1beta1 vault schema if/when checkAndSet is added there.)

Also applies to: 4998-5005

🧹 Nitpick comments (4)

rebase-automation.sh (1)

214-215: Consider defaulting TARGET_BRANCH to main to match this repo

TARGET_BRANCH defaults to master, but this repository’s default/target branch (per this PR) is main. While it’s only used in a log message, aligning the default avoids repeated confusion:

TARGET_BRANCH="${TARGET_BRANCH:-main}"

bundle/manifests/external-secrets.io_externalsecrets.yaml (1)

144-160: Consider updating deprecated v1beta1 schema to mirror new v1 fields

You’ve added CloudsmithAccessToken to the v1 generatorRef.kind enums, template.metadata.finalizers[], and selectableFields, but v1beta1 still lacks these additions while retaining largely the same surface. Even though v1beta1 is deprecated and served: false, keeping its OpenAPI schema aligned with v1 (same new enum values, finalizers field, and selectableFields) would avoid drift and reduce future maintenance surprises.

If you keep v1beta1 around, consider mirroring the v1 changes into the v1beta1 enums and template metadata.

Also applies to: 373-389, 533-537, 676-681, 804-820, 994-1020, 1155-1167

config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (1)

1690-1691: fake.validationResult looks harmless but double‑check it’s intentional API surface

The new spec.provider.fake.validationResult: integer field changes the public CRD API for the fake provider. If this is only internal/test bookkeeping, consider keeping it out of the public schema; otherwise, it’s fine as is.

bundle/manifests/generators.external-secrets.io_clustergenerators.yaml (1)

216-263: Missing description field on cloudsmithAccessTokenSpec.

Other generator specs like acrAccessTokenSpec (line 54) include a description block, but cloudsmithAccessTokenSpec omits it. While the nested fields have descriptions, adding a top-level description would improve schema documentation consistency.

Consider adding a description to cloudsmithAccessTokenSpec similar to the pattern used in other specs:

  cloudsmithAccessTokenSpec:
+   description: CloudsmithAccessTokenSpec defines how to generate Cloudsmith access tokens.
    properties:

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 07f8654 and e89bee9.

⛔ Files ignored due to path filters (9)

• go.sum is excluded by !**/*.sum
• vendor/github.com/NYTimes/gziphandler/.gitignore is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/.travis.yml is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/LICENSE is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/README.md is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/gzip.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/NYTimes/gziphandler/gzip_go18.go is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (79)

• Makefile (1 hunks)
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml (2 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml (3 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml (2 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml (1 hunks)
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml (2 hunks)
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml (1 hunks)
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml (1 hunks)
• bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml (2 hunks)
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml (3 hunks)
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml (3 hunks)
• bindata/external-secrets/resources/deployment_external-secrets.yml (3 hunks)
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml (1 hunks)
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml (1 hunks)
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/service_bitwarden-sdk-server.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-metrics.yml (1 hunks)
• bindata/external-secrets/resources/service_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_bitwarden-sdk-server.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml (1 hunks)
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml (1 hunks)
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml (1 hunks)
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml (1 hunks)
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (4 hunks)
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml (4 hunks)
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml (3 hunks)
• bundle/manifests/external-secrets.io_clustersecretstores.yaml (15 hunks)
• bundle/manifests/external-secrets.io_externalsecrets.yaml (5 hunks)
• bundle/manifests/external-secrets.io_pushsecrets.yaml (3 hunks)
• bundle/manifests/external-secrets.io_secretstores.yaml (15 hunks)
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml (6 hunks)
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_grafanas.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_mfas.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_passwords.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_sshkeys.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_uuids.yaml (1 hunks)
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml (2 hunks)
• bundle/manifests/generators.external-secrets.io_webhooks.yaml (1 hunks)
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (3 hunks)
• bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml (3 hunks)
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml (4 hunks)
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml (6 hunks)
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml (3 hunks)
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml (15 hunks)
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml (5 hunks)
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml (3 hunks)
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (15 hunks)
• config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_uuids.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml (2 hunks)
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml (1 hunks)
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml (3 hunks)
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml (3 hunks)
• config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml (3 hunks)
• go.mod (3 hunks)
• pkg/controller/external_secrets/deployments_test.go (1 hunks)
• pkg/operator/assets/bindata.go (37 hunks)
• rebase-automation.sh (1 hunks)

✅ Files skipped from review due to trivial changes (3)

• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml

🚧 Files skipped from review as they are similar to previous changes (39)

• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml
• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml
• bundle/manifests/generators.external-secrets.io_grafanas.yaml
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml
• bundle/manifests/generators.external-secrets.io_webhooks.yaml
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml
• pkg/controller/external_secrets/deployments_test.go
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_passwords.yaml
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml
• bindata/external-secrets/resources/service_external-secrets-webhook.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml
• bundle/manifests/generators.external-secrets.io_mfas.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml
• bundle/manifests/generators.external-secrets.io_sshkeys.yaml
• pkg/operator/assets/bindata.go
• bindata/external-secrets/resources/deployment_external-secrets.yml
• bundle/manifests/generators.external-secrets.io_uuids.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml
• bundle/manifests/external-secrets.io_pushsecrets.yaml
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml
• bindata/external-secrets/resources/serviceaccount_bitwarden-sdk-server.yml
• bindata/external-secrets/resources/service_external-secrets-metrics.yml
• config/crd/bases/customresourcedefinition_uuids.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml
• bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml
• bindata/external-secrets/resources/service_bitwarden-sdk-server.yml
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml
• bundle/manifests/external-secrets.io_externalsecrets.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml
• config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml
• config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml
• bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml
• go.mod
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml
• rebase-automation.sh
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml
• Makefile
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml
• bundle/manifests/external-secrets.io_secretstores.yaml
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• bundle/manifests/external-secrets.io_clustersecretstores.yaml
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml

🪛 Shellcheck (0.11.0)

rebase-automation.sh

[warning] 9-9: REPO_ROOT appears unused. Verify use (or export if used externally).

(SC2034)

---

[warning] 72-72: Declare and assign separately to avoid masking return values.

(SC2155)

🔇 Additional comments (45)

bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml (1)

10-10: LGTM!

The version label correctly reflects the v0.20.1 release as part of the coordinated upstream bump described in the PR objectives. The YAML syntax is valid and consistent with related manifest updates in the same release.

config/crd/bases/customresourcedefinition_sshkeys.generators.external-secrets.io.yml (1)

6-6: Version annotation update aligns with project-wide controller-gen bump to v0.19.0.

The CRD structure and SSHKey schema remain intact and valid. This change is consistent with systematic updates across all CRDs in the project (config/crd/bases and bundle/manifests) and is compatible with the project's Go 1.23 toolchain.

config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml (1)

6-6: Controller-gen version bump to v0.19.0 is appropriate and consistent across all CRDs.

This is part of a systematic upgrade across the entire CRD base. The Webhook schema is well-structured with proper validation constraints.

bindata/external-secrets/resources/deployment_bitwarden-sdk-server.yml (1)

10-10: Version and image tag bumps are consistent.

Both the label and image reference are correctly updated to v0.5.1. No functional issues detected.

Also applies to: 29-29

bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml (1)

9-9: Metadata label version bump only; RBAC rules unchanged.

The version label is updated to v0.20.1 to reflect the upstream bump, with no changes to role bindings or permissions.

config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml (1)

6-6: Controller-gen annotation version update; schema unchanged.

The annotation is updated to v0.19.0. The GeneratorState spec remains unchanged (garbageCollectionDeadline, resource, state fields unmodified).

bundle/manifests/generators.external-secrets.io_generatorstates.yaml (1)

5-5: Bundle manifest mirrors config CRD update.

Version annotation correctly updated in bundle manifest to match config baseline (v0.18.0 → v0.19.0).

bindata/external-secrets/resources/service_bitwarden-sdk-server.yml (1)

10-10: Version label updated consistently with deployment.

Service label matches the deployment version bump to v0.5.1. No spec changes.

config/crd/bases/customresourcedefinition_mfas.generators.external-secrets.io.yml (1)

6-6: Standard controller-gen annotation bump; MFA schema unchanged.

Kubebuilder annotation correctly updated to v0.19.0. MFA spec definition (algorithm, length, secret, timePeriod, when fields) remains unchanged.

bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml (1)

10-10: Version label bump; RBAC rules unmodified.

Metadata label updated to v0.20.1 to align with upstream release. Permission rules for externalsecrets and pushsecrets remain unchanged.

config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml (1)

6-6: Only the standard controller-gen annotation was updated.

The Kubebuilder annotation version was bumped from v0.18.0 to v0.19.0. No schema changes are present in this file. Disregard claims about environmentType or kind enum extensions—they do not exist here.

config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml (1)

5-6: controller-gen annotation bump is safe

Annotation updated to v0.19.0 only; no schema or behavior change. Looks consistent with the toolchain bump elsewhere.

bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml (1)

4-6: CRD doc/annotation updates align with upstream K8s semantics

• controller-gen annotation bump to v0.19.0.
• podAntiAffinity weight description updated to match current K8s API wording.
• DynamicResourceAllocation gating text clarified for resources.claims.

All are documentation/metadata-only; no behavioral schema changes.

Also applies to: 638-648, 1051-1057

Makefile (1)

6-9: Version bumps and bundle channel flags look correct

• Default operator VERSION → 1.1.0 and EXTERNAL_SECRETS_VERSION → v0.20.1 keep Makefile aligned with the release/bindata.
• CHANNELS / DEFAULT_CHANNEL gating into BUNDLE_CHANNELS / BUNDLE_DEFAULT_CHANNEL and then BUNDLE_METADATA_OPTS is straightforward and preserves existing behavior when unset.
• No impact on existing bundle target invocation; overrides are opt‑in via env or CLI.

No issues from a build/release or maintainability standpoint.

Also applies to: 16-29, 41-42

config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml (1)

4-6: Operator CRD metadata/text updates are benign

• controller-gen annotation updated to v0.19.0.
• podAntiAffinity preferred weight wording updated (subtracting) in line with current K8s API docs.
• resources.claims description now references DynamicResourceAllocation feature gate more accurately.

All changes are descriptive/metadata only; schema structure and validation remain unchanged.

Also applies to: 632-642, 1048-1055

bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml (1)

7-10: RBAC updates for new generator type are appropriate

• Label bump to app.kubernetes.io/version: "v0.20.1" matches the external-secrets image bump.
• Adding cloudsmithaccesstokens to the generators list aligns with the newly introduced CloudsmithAccessToken CRD and keeps read RBAC consistent with other generators.

No issues here.

Also applies to: 64-82

bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml (1)

7-10: Cert-controller RBAC extension to EndpointSlices is reasonable

• Version label updated to v0.20.1, consistent with deployment and other RBAC.
• New rule grants list/get/watch on discovery.k8s.io endpointslices, read‑only, which is a minimal extension likely needed for endpoint discovery.

No security or maintainability concerns with this change.

Also applies to: 41-55

bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml (1)

7-11: Cert-controller deployment version/image bump is consistent

Deployment and pod template labels, plus the cert-controller container image, are all bumped to v0.20.1 and remain otherwise unchanged. This keeps the operand aligned with the updated RBAC and CRDs.

Looks good.

Also applies to: 21-25, 31-43

config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml (1)

122-234: workloadIdentityFederation schema looks consistent and safe

The added workloadIdentityFederation block is structurally sound, follows existing validation patterns (secretRef/name constraints, required fields), and matches the GCP federation model used elsewhere in the PR. No issues from a schema or security perspective.

go.mod (1)

3-321: Module and dependency bumps align with an upstream rebase; verify toolchain/CI support

The Go and K8s/controller-runtime/controller-tools bumps plus the external-secrets replace look coherent for the v0.20.1 rebase. Please just confirm that:

• Your CI/build images are actually using Go 1.23, and
• These K8s library versions match the intended OCP/Kubernetes compatibility matrix.

bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml (1)

5-242: Bundled GCRAccessToken CRD matches base schema

The updated controller-gen annotation and added workloadIdentityFederation section mirror the base CRD and keep the bundle in sync. No functional or schema issues spotted.

bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml (1)

5-1151: CRD doc/annotation updates align with upstream Kubernetes semantics

The controller-gen version bump and description tweaks (pod anti-affinity weighting, DynamicResourceAllocation note) match upstream Kubernetes API descriptions and don’t alter the schema. Looks good.

config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml (1)

1-93: New CloudsmithAccessToken CRD is well-scoped and consistent

The new CloudsmithAccessToken CRD follows existing patterns (namespacing, serviceAccountRef constraints, required fields) and keeps the surface minimal (apiUrl, orgSlug, serviceSlug, serviceAccountRef). No schema or security concerns.

config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml (1)

166-179: ClusterGenerator schema extensions (Cloudsmith, GCP federation, Vault CAS) look coherent

• environmentType enum gains AzureStackCloud without changing defaults—backward compatible.
• cloudsmithAccessTokenSpec matches the dedicated CloudsmithAccessToken CRD (orgSlug/serviceSlug/serviceAccountRef with sane constraints).
• workloadIdentityFederation for GCR mirrors the GCRAccessToken CRD, including required nested refs.
• checkAndSet adds an explicit CAS toggle for Vault KV v2 without altering existing behavior when unset.
• kind enum includes CloudsmithAccessToken, aligning with the new generator.

No structural or validation issues detected.

Also applies to: 204-247, 480-592, 1717-1728, 2043-2057

config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml (1)

21-21: CSV version and skipRange look consistent with 1.1.0 upgrade

metadata.name, spec.version, and olm.skipRange are aligned for the 1.1.0 release; no issues from a manifest/versioning perspective.

Also applies to: 41-41, 237-237

config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml (1)

6-6: Cloudsmith generator and finalizers additions look consistent

Allowing CloudsmithAccessToken in generatorRef.kind and exposing template.metadata.finalizers matches the broader CRD extensions in this PR and preserves backward compatibility.

Also applies to: 154-170, 372-388, 528-531

config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml (3)

6-6: Kubebuilder version update as expected for release upgrade.

The controller-gen annotation version bump from v0.17.3 to v0.19.0 aligns with the v1.1.0 release objective. This is a standard change for upstream dependency bumps and does not affect runtime behavior.

---

646-647: Verify pod anti-affinity weight computation semantics.

The description now states weights are "subtracting" rather than "adding" for podAntiAffinity. This semantic correction aligns with Kubernetes scheduler behavior (weights are subtracted to prefer nodes without matching anti-affinity pods), but confirm this matches the actual scheduling logic in the external-secrets operator and upstream Kubernetes spec.

---

1056-1057: Confirm DynamicResourceAllocation feature gate naming.

The resources.claims description now explicitly references the DynamicResourceAllocation feature gate. Verify this is the canonical feature gate name in the Kubernetes version(s) this operator supports.

config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (6)

6-6: controller-gen version bump is consistent with upstream tooling

controller-gen.kubebuilder.io/version: v0.19.0 aligns with the newer controller-gen used for the v1.1.0 rebased CRDs; nothing to fix here.

---

2164-2196: Infisical: new auth methods are structurally sound

The added awsAuthCredentials, kubernetesAuthCredentials, and tokenAuthCredentials blocks are consistent with existing Infisical auth refs (key/name/namespace, required fields, etc.). No obvious schema or security issues here.

Also applies to: 2415-2475, 2773-2805

---

3790-3792: SecretServer: optional domain field is fine

Adding an optional domain string to SecretServer provider is backward‑compatible and matches typical auth shapes; nothing to change.

---

4696-4797: Volcengine provider schema looks consistent

The new volcengine provider is well‑shaped: region is required, and when auth.secretRef is used, both accessKeyID and secretAccessKey are required, matching the documented IRSA‑fallback behavior. No schema or security concerns from the CRD side.

---

4984-5012: YandexCertificateManager: fetching policy and auth shape are OK

Updated auth description and the new fetching block (with maxProperties: 1, minProperties: 1, and byName.folderID required) correctly enforce “exactly one of byID / byName” and ensure folder context when using names. Looks good.

Also applies to: 5045-5062

---

5073-5101: YandexLockbox: fetching policy matches CertificateManager pattern

The new fetching configuration mirrors the CertificateManager pattern with min/maxProperties to ensure mutual exclusivity and folderID required for byName. Auth shape is unchanged apart from description. No issues here.

Also applies to: 5135-5151

bundle/manifests/external-secrets.io_secretstores.yaml (9)

5-5: controller-gen version bump looks fine

v0.19.0 is consistent with upstream CRD generation; no schema risk noted here.

---

1816-1818: fake.validationResult is benign but ensure it remains internal-only

Adding validationResult to the fake provider schema is fine as long as it is only used internally/tests and not relied on by user-facing tooling or docs.

---

2337-2370: Infisical new auth credential blocks look consistent

The new awsAuthCredentials, kubernetesAuthCredentials, and tokenAuthCredentials shapes match the existing selector idioms (secretRef-like objects with required keys). No schema or security concerns from the CRD perspective.

Also applies to: 2596-2657, 2966-2999

---

4058-4060: SecretServer domain field addition

Adding the optional domain string is straightforward and backward compatible; no validation concerns.

---

5009-5118: Volcengine provider schema is reasonable

Auth flow (IRSA by default, optional static secretRef with required accessKeyID/secretAccessKey/optional token) and required region look consistent with other cloud providers and are safely constrained by existing Secret selectors.

---

5317-5318: YandexCertificateManager auth description tweak

Updating the description to refer to Yandex.Cloud is purely documentation; safe and consistent.

---

5382-5404: YandexCertificateManager fetching policy design looks good

fetching with maxProperties: 1/minProperties: 1 plus byID/byName (and required folderID for byName) cleanly models the mutually exclusive modes; no further constraints needed at the CRD level.

---

5417-5418: YandexLockbox auth description tweak

Same as for Certificate Manager: doc-only change to “against Yandex.Cloud”, no behavioral impact.

---

5482-5504: YandexLockbox fetching policy mirrors CertificateManager appropriately

The fetching block mirrors the CertificateManager design (ID vs name + folder) with enforced mutual exclusivity; schema is clear and safe.

bundle/manifests/generators.external-secrets.io_clustergenerators.yaml (1)

504-624: Verify workloadIdentityFederation placement and federation support design.

The workloadIdentityFederation block is nested under gcrAccessTokenSpec > auth > workloadIdentity, creating a structure like workloadIdentity.workloadIdentityFederation. This naming could be confusing since both contain "workloadIdentity." Confirm this design allows users to use either direct workload identity (via clusterLocation, clusterName, etc.) or federation mode (via workloadIdentityFederation), and document which approach takes precedence if both are specified.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, locate and examine the CSV file
find . -name "*external-secrets-operator.clusterserviceversion.yaml" -type f

Repository: openshift/external-secrets-operator

Length of output: 228

---

🏁 Script executed:

# Check the file size to understand how to read it
wc -l ./bundle/manifests/external-secrets-operator.clusterserviceversion.yaml

Repository: openshift/external-secrets-operator

Length of output: 154

---

🏁 Script executed:

# Read the specific lines mentioned in the comment to verify the claims
sed -n '220,260p' ./bundle/manifests/external-secrets-operator.clusterserviceversion.yaml | cat -n

Repository: openshift/external-secrets-operator

Length of output: 2562

---

🏁 Script executed:

# Check the lines around 720-728 for relatedImages section
sed -n '715,735p' ./bundle/manifests/external-secrets-operator.clusterserviceversion.yaml | cat -n

Repository: openshift/external-secrets-operator

Length of output: 1219

---

🏁 Script executed:

# Check metadata.name and spec.version near the top of the file
sed -n '1,50p' ./bundle/manifests/external-secrets-operator.clusterserviceversion.yaml | cat -n

Repository: openshift/external-secrets-operator

Length of output: 1852

---

🏁 Script executed:

# Search for all OPERATOR_IMAGE_VERSION, RELATED_IMAGE_EXTERNAL_SECRETS, and bitwarden entries
rg "OPERATOR_IMAGE_VERSION|RELATED_IMAGE_EXTERNAL_SECRETS|BITWARDEN_SDK_SERVER|OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION" ./bundle/manifests/external-secrets-operator.clusterserviceversion.yaml -A 1

Repository: openshift/external-secrets-operator

Length of output: 624

---

🏁 Script executed:

# Check the relatedImages section more thoroughly
sed -n '800,821p' ./bundle/manifests/external-secrets-operator.clusterserviceversion.yaml | cat -n

Repository: openshift/external-secrets-operator

Length of output: 1009

---

🏁 Script executed:

# Also check if there's a config base file that might have the correct versions
cat ./config/manifests/bases/external-secrets-operator.clusterserviceversion.yaml | head -50

Repository: openshift/external-secrets-operator

Length of output: 2551

---

🏁 Script executed:

# Search for v0.20.1 or any v0.20 references in the repo
rg "v0\.20\.|0\.20\." . --type yaml

Repository: openshift/external-secrets-operator

Length of output: 3625

---

🏁 Script executed:

# Check for any PR context or version info in README or docs
find . -maxdepth 2 -name "README*" -o -name "CHANGELOG*" -o -name "VERSION*" | head -5

Repository: openshift/external-secrets-operator

Length of output: 90

---

CSV version 1.1.0 is out of sync with environment variables and relatedImages

The CSV declares version 1.1.0 (metadata.name and spec.version), but the deployment environment variables and relatedImages still reference outdated versions:

• OPERATOR_IMAGE_VERSION is still 1.0.0 instead of 1.1.0
• RELATED_IMAGE_EXTERNAL_SECRETS and OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION are still v0.19.0 and 0.19.0 instead of v0.20.1 and 0.20.1 (the bindata resources confirm v0.20.1 is intended)
• RELATED_IMAGE_BITWARDEN_SDK_SERVER and BITWARDEN_SDK_SERVER_IMAGE_VERSION entries remain and should be removed if this release no longer includes that operand

Update these to align with the 1.1.0 release:

• Bump OPERATOR_IMAGE_VERSION to 1.1.0
• Update RELATED_IMAGE_EXTERNAL_SECRETS to v0.20.1 and OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION to 0.20.1
• Remove the bitwarden-related environment variables and relatedImages entry

🤖 Prompt for AI Agents

In bundle/manifests/external-secrets-operator.clusterserviceversion.yaml around
line 223, the CSV is 1.1.0 but several env vars and relatedImages are out of
sync; update OPERATOR_IMAGE_VERSION to "1.1.0", set
RELATED_IMAGE_EXTERNAL_SECRETS to "v0.20.1" and
OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION to "0.20.1" (matching bindata), and
remove any BITWARDEN_SDK_SERVER-related entries (both environment variables like
RELATED_IMAGE_BITWARDEN_SDK_SERVER and BITWARDEN_SDK_SERVER_IMAGE_VERSION and
the corresponding relatedImages entry) so the CSV's env and relatedImages
reflect the 1.1.0 release.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

VaultDynamicSecret checkAndSet schema looks structurally sound, but description is slightly misleading

• New provider.checkAndSet object with a boolean required flag is additive and backward‑compatible; OpenAPI structure is valid.
• The description text says “for PushSecret operations”, but this CRD is VaultDynamicSecret. That wording may confuse users about whether CAS applies here vs only to PushSecret.

Consider rephrasing the description to something like “for Vault write operations” or explicitly clarifying applicability to VaultDynamicSecret to avoid confusion.

Also applies to: 710-721

🤖 Prompt for AI Agents

In
config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml
around lines 4-6 (and also apply same change at lines 710-721), the
provider.checkAndSet description currently says “for PushSecret operations”
which is misleading for the VaultDynamicSecret CRD; update the description to
clarify applicability to Vault dynamic secret write operations (e.g., “for Vault
write operations” or “for VaultDynamicSecret write operations / CAS on Vault
writes”) so it accurately reflects that the flag controls check-and-set behavior
for Vault write operations in this CRD.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (1)

730-739: Environment variables and relatedImages still reference outdated versions.

This issue was already flagged in a previous review. The CSV declares version 1.1.0, but:

• OPERATOR_IMAGE_VERSION remains 1.0.0
• RELATED_IMAGE_EXTERNAL_SECRETS and OPERAND_EXTERNAL_SECRETS_IMAGE_VERSION remain at v0.19.0/0.19.0 instead of v0.20.1/0.20.1
• relatedImages still references v0.19.0

These must be updated to align with the v1.1.0 release.

Also applies to: 828-831

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c69912f and d27d6a5.

📒 Files selected for processing (7)

• Dockerfile (1 hunks)
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (6 hunks)
• config/rbac/role.yaml (3 hunks)
• go.mod (11 hunks)
• images/ci/Dockerfile (1 hunks)
• images/ci/operand.Dockerfile (1 hunks)
• pkg/controller/external_secrets/controller.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• images/ci/Dockerfile
• pkg/controller/external_secrets/controller.go
• go.mod
• Dockerfile
• bundle/manifests/external-secrets-operator.clusterserviceversion.yaml
• images/ci/operand.Dockerfile
• config/rbac/role.yaml

🔇 Additional comments (12)

bundle/manifests/external-secrets-operator.clusterserviceversion.yaml (3)

223-234: Version metadata updates look consistent.

The createdAt, olm.skipRange, metadata.name, and spec.version are all correctly aligned for the v1.1.0 release.

Also applies to: 255-255, 832-832

---

445-460: Expanded RBAC permissions for endpoints and namespaces.

The restructured permissions add create for endpoints and patch/update for namespaces at the cluster level. This aligns with upstream v0.20.x requirements for features like federation and cross-namespace secret management.

---

564-564: New CloudsmithAccessToken generator resource added.

The cloudsmithaccesstokens resource is correctly added to the generators API group with appropriate permissions, consistent with the upstream v0.20.x bump.

images/ci/Dockerfile (1)

2-2: LGTM!

The builder base image has been updated to use Go 1.25, consistent with the other Dockerfiles in this PR.

images/ci/operand.Dockerfile (1)

1-1: LGTM!

The builder base image has been updated to use Go 1.25, consistent with the other Dockerfiles in this PR.

go.mod (2)

21-30: Verify compatibility with major Kubernetes API and controller-runtime updates.

This PR includes significant version bumps:

• k8s.io/* packages: v0.32.x → v0.34.x (2 minor versions)
• controller-runtime: v0.20.x → v0.22.x (2 minor versions)
• controller-tools: v0.17.x → v0.19.x

These updates may introduce API changes, deprecations, or behavioral differences that could impact the operator's functionality. Ensure thorough testing has been performed to validate compatibility.

---

338-338: LGTM!

The replace directive correctly points to v0.20.1, aligning with the PR objectives for the upstream bump.

Dockerfile (1)

2-2: Go 1.25 is available and stable.

The golang:1.25 base image is available on Docker Hub. Go 1.25 was released as stable on August 12, 2025, with the latest patch being 1.25.5 (Dec 2, 2025). The update is compatible and ready for use.

config/rbac/role.yaml (3)

105-112: LGTM: Read-only EndpointSlices access.

The addition of read-only permissions (get, list, watch) for the endpointslices resource under discovery.k8s.io is appropriate. EndpointSlices is the newer API for service endpoint discovery and read-only access aligns with observability requirements.

---

35-42: [Your rewritten review comment text here]
[Exactly ONE classification tag]

---

154-154: CloudsmithAccessToken integration is properly implemented.

The CRD definition exists at config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml, the controller has the necessary RBAC rules configured in pkg/controller/external_secrets/controller.go, and the resource is properly referenced in the operator's asset management. This follows the same integration pattern as other generators.

pkg/controller/external_secrets/controller.go (1)

108-119: LGTM: RBAC annotations are consistent with role.yaml.

The kubebuilder RBAC marker annotations correctly reflect the permissions added in config/rbac/role.yaml:

• Line 108: Added update and patch verbs to namespaces
• Line 114: Added endpointslices resource with read-only permissions
• Line 118: Added cloudsmithaccesstokens to generators

These annotations will generate the correct RBAC manifest. The security concerns regarding namespace update/patch permissions and endpoints create permission raised in the config/rbac/role.yaml review apply here as well.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Explore repository structure
echo "=== Repository structure ==="
git ls-files | head -30

echo -e "\n=== Looking for Go files (likely controller code) ==="
fd '\.go$' | head -20

echo -e "\n=== Checking RBAC role file ==="
cat -n config/rbac/role.yaml 2>/dev/null | head -50

Repository: openshift/external-secrets-operator

Length of output: 3387

---

🏁 Script executed:

#!/bin/bash
# Search for Endpoints resource usage in Go files

echo "=== Searching for Endpoints client/resource creation ==="
rg -n --type=go 'Endpoints' | head -30

echo -e "\n=== Searching for .Create.*endpoint" ==="
rg -n --type=go '\.Create.*[eE]ndpoint' -i

echo -e "\n=== Searching in controller files ==="
find . -name "*.go" -path "*/controller/*" -type f | xargs rg -l Endpoints 2>/dev/null

Repository: openshift/external-secrets-operator

Length of output: 222

---

🏁 Script executed:

#!/bin/bash
# Search for Endpoints resource usage in Go files

echo "=== Searching for Endpoints in Go code ==="
rg -n --type=go 'Endpoints' | head -30

echo -e "\n=== Searching for endpoint creation calls ==="
rg -n --type=go '\.Create.*endpoint' -i -A3 | head -30

echo -e "\n=== Check controller files for endpoint logic ==="
find . -name "*controller*.go" -type f | xargs rg -l Endpoints 2>/dev/null

Repository: openshift/external-secrets-operator

Length of output: 221

---

🏁 Script executed:

#!/bin/bash
# Look for controller reconciliation logic

echo "=== Check main external-secrets controller ==="
find . -name "*.go" -path "*/external_secrets/*" | head -20

echo -e "\n=== Search for client method calls (Get, Create, Delete) ==="
rg -n --type=go '\.(Create|Get|Delete|Update|Patch)\(' | grep -v test | head -20

echo -e "\n=== Look at main controller file ==="
ls -la pkg/controller/external_secrets/

echo -e "\n=== Check reconcile logic ==="
rg -n --type=go 'Reconcile' --type=go -A5 | head -40

Repository: openshift/external-secrets-operator

Length of output: 8737

---

🏁 Script executed:

#!/bin/bash
# Comprehensive search for endpoints usage

echo "=== Search entire repo for 'endpoints' ==="
rg -n -i 'endpoints' --type=go --type=yaml | grep -v test | grep -v vendor

echo -e "\n=== Check bindata ClusterRole expectations ==="
find . -name "clusterrole*" -type f | xargs cat

echo -e "\n=== Look for endpoint-related code or comments ==="
rg -n -i 'endpoint' --type=go -B2 -A2 | head -50

Repository: openshift/external-secrets-operator

Length of output: 20982

---

Remove the create verb from the endpoints resource or provide justification for its necessity.

The kubebuilder RBAC marker at line 110 of pkg/controller/external_secrets/controller.go declares create permission on endpoints, which is reflected in the RBAC role manifest. However, no controller code in the repository actually creates Endpoint objects. Granting unnecessary permissions violates the principle of least privilege. Either remove the create verb or document why it is required.

🤖 Prompt for AI Agents

In config/rbac/role.yaml around lines 26 to 31, the role grants the `create`
verb for the `endpoints` resource but no controller code creates Endpoints;
remove the `create` verb from the endpoints verbs list to follow
least-privilege, and if you believe creation is required instead of removal, add
a brief justification comment in the role.yaml and update the kubebuilder RBAC
marker in pkg/controller/external_secrets/controller.go (line ~110) to match and
document why the controller must create Endpoints so the generated manifest
stays accurate.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Update RELEASE_BRANCH to v0.20.1.

The RELEASE_BRANCH is still set to v0.19.0, but this PR is performing an upstream bump to v0.20.x. The go.mod replace directive (line 338) points to v0.20.1, and the PR objectives explicitly state "Upstream bump for v0.20.x and rebase for v1.1.0 release". This version mismatch will cause the operand to be built with the wrong version of external-secrets, leading to runtime incompatibilities.

Apply this diff to update the version:

-ARG RELEASE_BRANCH=v0.19.0
+ARG RELEASE_BRANCH=v0.20.1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ARG RELEASE_BRANCH=v0.19.0
	ARG RELEASE_BRANCH=v0.20.1

🤖 Prompt for AI Agents

In images/ci/operand.Dockerfile around line 3, the ARG RELEASE_BRANCH is set to
v0.19.0 but should match the upstream bump to v0.20.x; update the line to set
RELEASE_BRANCH to v0.20.1 so the built operand uses the same external-secrets
version as referenced in go.mod (see replace directive around line 338). Ensure
there are no other occurrences of v0.19.0 in this Dockerfile or CI scripts and
update them to v0.20.1 to keep versions consistent.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

images/ci/operand.Dockerfile (1)

3-3: Address the previous review comment.

This line was already flagged in a previous review as a critical issue. The RELEASE_BRANCH should be updated to v0.20.1 to align with the PR objectives and the go.mod replace directive.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 249d58f and 3344221.

📒 Files selected for processing (4)

• Dockerfile (1 hunks)
• go.mod (11 hunks)
• images/ci/Dockerfile (1 hunks)
• images/ci/operand.Dockerfile (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• images/ci/operand.Dockerfile
• images/ci/Dockerfile
• Dockerfile
• go.mod

🔇 Additional comments (3)

images/ci/operand.Dockerfile (1)

1-1: LGTM!

The builder image has been correctly updated to use Go 1.25.3, consistent with the toolchain upgrade across the repository.

images/ci/Dockerfile (1)

2-2: LGTM!

The builder image upgrade to Go 1.25.3 is consistent with the broader toolchain updates across the repository.

go.mod (1)

338-338: LGTM!

The replace directive correctly points to v0.20.1 of the OpenShift fork, aligning with the PR objective to perform an upstream bump for v0.20.x.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify golang:1.25.3 Go release and Docker image availability

echo "=== Checking Go releases ==="
curl -s https://go.dev/dl/?mode=json | jq -r '.[].version' | head -20

echo ""
echo "=== Checking for Go 1.25.x releases ==="
curl -s https://go.dev/dl/?mode=json | jq -r '.[].version' | grep -E '^go1\.25'

Repository: openshift/external-secrets-operator

Length of output: 176

---

🌐 Web query:

Go 1.25.3 release date and availability

💡 Result:

Go 1.25.3 was released on October 13, 2025 and is available from the official Go release page (downloads and release notes). [1][2]

Sources:

• Go release history (go1.25.3 — released 2025-10-13). [1]
• Microsoft builds and package availability referencing go1.25.3. [2]

---

Update to the latest Go 1.25.x patch version.

The builder image is set to golang:1.25.3, which is valid but outdated. Go 1.25.5 is now available and should be used instead to benefit from the latest security patches and bug fixes in the 1.25.x series.

🤖 Prompt for AI Agents

In Dockerfile around line 2, the builder base image is pinned to
docker.io/golang:1.25.3 and should be updated to the latest Go 1.25.x patch;
change the FROM reference to docker.io/golang:1.25.5 (or golang:1.25.5) so the
build uses Go 1.25.5, then rebuild the image to pick up the security and bugfix
updates.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash

# Check Go version availability
echo "=== Verifying Go 1.25.3 ==="
curl -s https://go.dev/dl/?mode=json 2>/dev/null | jq -r '.[].version' 2>/dev/null | head -20

echo -e "\n=== Checking specific Go versions in recent releases ==="
curl -s https://go.dev/dl/?mode=json 2>/dev/null | jq -r '.[].version' 2>/dev/null | grep -E "1.25|1.24"

# Verify via proxy (alternative method)
echo -e "\n=== Checking via go.mod proxy ==="
curl -s "https://proxy.golang.org/golang.org/x/@v/list" 2>/dev/null | grep -E "1.25|1.24" || echo "Note: Direct check failed"

# Check the current version available
echo -e "\n=== Latest Go versions ==="
curl -s https://go.dev/dl/?mode=json 2>/dev/null | jq -r '.[] | "\(.version) - \(.time)"' 2>/dev/null | head -5

Repository: openshift/external-secrets-operator

Length of output: 324

---

🏁 Script executed:

#!/bin/bash

# Check Kubernetes and controller-runtime versions
echo "=== Checking Kubernetes module versions ==="

# Try to get k8s.io/api versions via proxy
echo "k8s.io/api versions:"
curl -s "https://proxy.golang.org/k8s.io/api/@v/list" 2>/dev/null | grep -E "v0.34|v0.33|v0.32" | tail -10 || echo "Could not fetch from proxy"

echo -e "\n=== Checking controller-runtime versions ==="
echo "sigs.k8s.io/controller-runtime versions:"
curl -s "https://proxy.golang.org/sigs.k8s.io/controller-runtime/@v/list" 2>/dev/null | grep -E "v0.22|v0.21|v0.20" | tail -10 || echo "Could not fetch from proxy"

echo -e "\n=== Checking controller-tools versions ==="
echo "sigs.k8s.io/controller-tools versions:"
curl -s "https://proxy.golang.org/sigs.k8s.io/controller-tools/@v/list" 2>/dev/null | grep -E "v0.19|v0.18|v0.17" | tail -10 || echo "Could not fetch from proxy"

Repository: openshift/external-secrets-operator

Length of output: 551

---

Update Go version to 1.25.5.

The K8s modules (v0.34.1), controller-runtime (v0.22.3), and controller-tools (v0.19.0) are valid and available. However, Go 1.25.3 is outdated—the latest 1.25.x release is 1.25.5. Update go 1.25.5 in go.mod for consistency with the latest stable patch release.

🤖 Prompt for AI Agents

In go.mod around lines 3 to 33, the module specifies "go 1.25.3" but should be
updated to the latest patch release; change the go directive to "go 1.25.5" to
match the recommended Go version (update the single line "go 1.25.3" -> "go
1.25.5" and run go mod tidy/build to verify).

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: siddhibhor-56
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@siddhibhor-56: This pull request references ESO-267 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Updated the go.mod to 1.25.3
Bundle changes for v1.1.0 including v0.20.4 upstream external-secrets.
updated the rbac as per the upstream release

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@siddhibhor-56: This pull request references ESO-267 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

• Updated the go.mod to 1.25.3
• Bundle changes for v1.1.0 including v0.20.4 upstream external-secrets.
• updated the rbac as per the upstream release

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (14)

config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml (3)

141-141: v1beta1 still missing CloudsmithAccessToken in generatorRef.kind enums.

The v1 version correctly includes CloudsmithAccessToken at lines 141 and 376, but v1beta1 is missing this enum value in both locations (lines 808-823 and 1001-1016). This was flagged in a previous review and marked as addressed, but the inconsistency persists.

Even though v1beta1 is deprecated (deprecated: true), maintaining schema parity prevents validation failures for existing clients.

#!/bin/bash
# Verify CloudsmithAccessToken presence in both v1 and v1beta1 versions
echo "=== Checking v1 generatorRef.kind enums ==="
rg -n "CloudsmithAccessToken" config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml

echo ""
echo "=== v1beta1 generatorRef.kind enum locations (should also have CloudsmithAccessToken) ==="
rg -n -A20 "deprecated: true" config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml | head -100

Also applies to: 376-376

---

531-534: v1beta1 template.metadata missing finalizers field.

The v1 version adds finalizers at lines 531-534, but v1beta1's template.metadata (lines 1150-1161) lacks this field. This was previously flagged and marked addressed.

---

686-690: v1beta1 missing selectableFields block.

The v1 version has selectableFields at lines 686-690, but v1beta1 has no corresponding block. For deprecated versions, this may be intentional, but maintaining parity is recommended until full removal.

config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml (1)

718-729: checkAndSet description mentions "PushSecret operations" which may be misleading in VaultDynamicSecret context.

This concern was already raised in a previous review comment.

config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml (1)

1752-1763: checkAndSet description references "PushSecret operations" which may be misleading for VaultDynamicSecret context.

Same issue as flagged in the other CRD file - already raised in a previous review.

bundle/manifests/external-secrets.io_clustersecretstores.yaml (2)

814-901: Enforce Azure customCloudConfig preconditions with schema validation

spec.provider.azurekv.customCloudConfig is documented as valid only when:

• useAzureSDK is true, and
• environmentType is AzureStackCloud.

The current schema does not enforce this, so users can submit invalid combinations that only fail at runtime. Add x-kubernetes-validations on the azurekv object to gate this.

Suggested schema validation for Azure customCloudConfig

   azurekv:
     description: AzureKV configures this store to sync secrets using
       Azure Key Vault provider
     properties:
       ...
-      vaultUrl:
+      vaultUrl:
         description: Vault Url from which the secrets to be fetched
           from.
         type: string
     required:
     - vaultUrl
-    type: object
+    type: object
+    x-kubernetes-validations:
+    - rule: "!has(self.customCloudConfig) || self.useAzureSDK == true"
+      message: "customCloudConfig requires useAzureSDK to be true."
+    - rule: "!has(self.customCloudConfig) || self.environmentType == 'AzureStackCloud'"
+      message: "customCloudConfig is only supported when environmentType is AzureStackCloud."

Apply the same pattern to other CRDs exposing azurekv.customCloudConfig to keep the API consistent.

---

5007-5018: Gate Vault checkAndSet to KV v2 via x-kubernetes-validations

checkAndSet is only meaningful for Vault KV v2, but the schema currently allows it with version: v1, which will lead to confusing write errors. Add a validation on the vault object so checkAndSet can only be set when version == 'v2'.

Suggested schema validation for Vault CAS

   vault:
     description: Vault configures this store to sync secrets using
       Hashi provider
     properties:
       ...
       version:
         default: v2
         enum:
         - v1
         - v2
         type: string
     required:
     - server
-    type: object
+    type: object
+    x-kubernetes-validations:
+    - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+      message: "checkAndSet is supported only with Vault KV v2."

Consider mirroring this rule in the other Vault-related CRDs so behavior is uniform across the API surface.

Also applies to: 5125-5133

config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml (1)

768-806: Enforce AzureStackCloud → customCloudConfig + useAzureSDK=true via CEL validations

The schema documents hard requirements for AzureStackCloud (must set customCloudConfig and useAzureSDK=true, and customCloudConfig itself requires useAzureSDK=true), but these are not enforced. Misconfiguration will only fail at runtime.

Recommend adding x-kubernetes-validations at the spec.provider.azurekv level (in the Go types/markers, then regenerating CRDs) along these lines:

Proposed CEL validation rules (conceptual)

spec:
  provider:
    azurekv:
      x-kubernetes-validations:
        - rule: "self.environmentType != 'AzureStackCloud' || (has(self.customCloudConfig) && self.useAzureSDK == true)"
          message: "When environmentType is AzureStackCloud, customCloudConfig must be set and useAzureSDK must be true."
        - rule: "!has(self.customCloudConfig) || self.useAzureSDK == true"
          message: "customCloudConfig requires useAzureSDK=true."

Apply the equivalent annotations to the SecretStore CRD as well, and ensure target Kubernetes/OpenShift versions support CEL validation (Kubernetes ≥1.25, GA in 1.26+).

This file is generated by controller-gen; please implement these constraints in the backing Go structs/markers rather than editing the YAML directly. Based on past review comments, this gap has been noted before and is still present after the rebase.

Also applies to: 843-848

config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml (3)

768-806: Azure Stack: missing schema validation for environmentType, customCloudConfig, and useAzureSDK

The docs state:

• customCloudConfig is required when environmentType is AzureStackCloud.
• customCloudConfig.activeDirectoryEndpoint is required when custom config is used.
• useAzureSDK must be true when using custom cloud config.

The schema currently only documents this in descriptions; invalid combinations are accepted and will fail later at runtime (e.g. AzureStackCloud without customCloudConfig, or customCloudConfig with useAzureSDK=false), which is hard to debug.

Add CEL validations on the azurekv object to enforce these relationships (ideally via kubebuilder XValidation in the Go types and regenerate this CRD):

Proposed CEL validations for Azure Stack coupling

                     azurekv:
                       description: AzureKV configures this store to sync secrets using Azure Key Vault provider
                       properties:
                         authSecretRef:
                           ...
-                        useAzureSDK:
+                        useAzureSDK:
                           default: false
                           description: |-
                             UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
                             This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
                           type: boolean
                       required:
                         - vaultUrl
-                      type: object
+                      type: object
+                      x-kubernetes-validations:
+                        - rule: "self.environmentType != 'AzureStackCloud' || (has(self.customCloudConfig) && has(self.customCloudConfig.activeDirectoryEndpoint) && self.useAzureSDK == true)"
+                          message: "When environmentType is AzureStackCloud, set useAzureSDK=true and provide customCloudConfig.activeDirectoryEndpoint."
+                        - rule: "!has(self.customCloudConfig) || self.environmentType == 'AzureStackCloud'"
+                          message: "customCloudConfig is only supported with environmentType AzureStackCloud."

Also applies to: 843-848

---

1824-1936: GCP workloadIdentityFederation: audience is documented as required but not enforced

The gcpsm.auth.workloadIdentityFederation blocks (both v1 and v1beta1) say:

audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.

But the schema doesn’t enforce this. Users can create invalid resources that only fail at reconciliation time.

Add CEL validations under workloadIdentityFederation in both versions to enforce the conditional requirement:

Proposed CEL validation for `audience`

           workloadIdentityFederation:
             description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
             properties:
               audience:
                 description: |-
                   audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
                   If specified, Audience found in the external account credential config will be overridden with the configured value.
                   audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
                 type: string
               awsSecurityCredentials:
                 ...
               credConfig:
                 ...
               externalTokenEndpoint:
                 ...
               serviceAccountRef:
                 ...
-            type: object
+            type: object
+            x-kubernetes-validations:
+              - rule: "!(has(self.serviceAccountRef) || has(self.awsSecurityCredentials)) || (has(self.audience) && self.audience != '')"
+                message: "audience is required when serviceAccountRef or awsSecurityCredentials is set."

Apply the same pattern under spec.provider.gcpsm.auth.workloadIdentityFederation in the v1beta1 schema.

Also applies to: 6988-7065

---

4668-4679: Vault checkAndSet: not gated to KV v2 and no default on required flag

The new vault.checkAndSet block:

• Is allowed regardless of vault.version (v1 or v2), but CAS semantics only make sense for KV v2.
• Leaves required without an explicit default; making it explicit avoids ambiguity and documents behavior.

This can lead to users enabling CAS against KV v1 and getting confusing or broken behavior.

Consider:

1. Defaulting required to false.
2. Gating checkAndSet so it can only be set when version == "v2".

Add a default + CEL validation on the vault object:

Proposed gating of `checkAndSet` to KV v2

         vault:
           properties:
             ...
             checkAndSet:
               description: |-
                 CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
                 Only applies to Vault KV v2 stores. When enabled, write operations must include
                 the current version of the secret to prevent unintentional overwrites.
               properties:
                 required:
                   description: |-
                     Required when true, all write operations must include a check-and-set parameter.
                     This helps prevent unintentional overwrites of secrets.
-                  type: boolean
+                  type: boolean
+                  default: false
               type: object
-          type: object
+          type: object
+          x-kubernetes-validations:
+            - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+              message: "checkAndSet is only supported for Vault KV v2."

Also applies to: 4783-4790

bundle/manifests/external-secrets.io_secretstores.yaml (3)

802-901: Enforce AzureStack and WorkloadIdentity invariants for azurekv; fix useAzureSDK casing in docs.

The new Azure custom cloud fields are only documented, not enforced. Users can set environmentType: AzureStackCloud without customCloudConfig and/or without useAzureSDK: true, or set authType: WorkloadIdentity without serviceAccountRef, leading to hard-to-debug runtime failures.

Consider adding CEL validations at the provider.azurekv object level and aligning the description with the actual field name:

Proposed validation and doc tweaks

-                      customCloudConfig:
-                        description: |-
-                          CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
-                          Required when EnvironmentType is AzureStackCloud.
-                          IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
+                      customCloudConfig:
+                        description: |-
+                          CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
+                          Required when environmentType is AzureStackCloud.
+                          IMPORTANT: This feature REQUIRES useAzureSDK to be set to true. Custom cloud
                           configuration is not supported with the legacy go-autorest SDK.
@@
                     required:
                     - vaultUrl
                     type: object
+                    x-kubernetes-validations:
+                    - rule: "self.environmentType != 'AzureStackCloud' || has(self.customCloudConfig)"
+                      message: "customCloudConfig is required when environmentType is AzureStackCloud."
+                    - rule: "self.environmentType != 'AzureStackCloud' || self.useAzureSDK == true"
+                      message: "useAzureSDK must be true for AzureStackCloud."
+                    - rule: "self.authType != 'WorkloadIdentity' || has(self.serviceAccountRef)"
+                      message: "serviceAccountRef is required when authType is WorkloadIdentity."

---

5007-5133: Gate Vault checkAndSet to KV v2 with CEL validation.

The new provider.vault.checkAndSet block is documented as “Only applies to Vault KV v2 stores”, but the schema does not enforce this. Users can configure CAS on a v1 engine, leading to misaligned behavior with the docs and upstream expectations.

Add a CEL guard at the provider.vault object:

Proposed Vault validation rule

                     required:
                     - server
                     type: object
+                    x-kubernetes-validations:
+                    - rule: "!has(self.checkAndSet) || self.version == 'v2'"
+                      message: "checkAndSet is only supported with Vault KV v2."

You may also want to mirror this rule anywhere else checkAndSet is exposed (e.g. other SecretStore/ClusterSecretStore CRDs).

---

1966-2086: GCP Workload Identity Federation: enforce audience + exactly one token source.

workloadIdentityFederation currently allows multiple token sources (credConfig, serviceAccountRef, awsSecurityCredentials) simultaneously and does not enforce that audience is set when using serviceAccountRef or awsSecurityCredentials, despite the description saying so. This can easily produce ambiguous or broken auth configs.

Model this with oneOf at the object level so validation enforces the invariants:

Proposed `oneOf` schema for `workloadIdentityFederation`

                       workloadIdentityFederation:
                         description: GCPWorkloadIdentityFederation holds the configurations
                           required for generating federated access tokens.
                         properties:
                           audience:
@@
                           serviceAccountRef:
@@
-                        type: object
+                        oneOf:
+                        # 1) Use external account JSON from credConfig only
+                        - required:
+                          - credConfig
+                        # 2) Use Kubernetes serviceAccountRef, audience must be set
+                        - required:
+                          - serviceAccountRef
+                          - audience
+                        # 3) Use explicit AWS credentials, audience must be set
+                        - required:
+                          - awsSecurityCredentials
+                          - audience
+                        type: object

This guarantees exactly one token source and encodes the audience requirement at the schema level instead of relying on docs.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 32195d3 and a2f3782.

📒 Files selected for processing (62)

• Makefile
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml
• bindata/external-secrets/resources/deployment_external-secrets.yml
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml
• bindata/external-secrets/resources/service_external-secrets-metrics.yml
• bindata/external-secrets/resources/service_external-secrets-webhook.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml
• bundle/manifests/external-secrets.io_clustersecretstores.yaml
• bundle/manifests/external-secrets.io_externalsecrets.yaml
• bundle/manifests/external-secrets.io_pushsecrets.yaml
• bundle/manifests/external-secrets.io_secretstores.yaml
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_grafanas.yaml
• bundle/manifests/generators.external-secrets.io_passwords.yaml
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml
• bundle/manifests/generators.external-secrets.io_webhooks.yaml
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml
• go.mod
• pkg/operator/assets/bindata.go

🚧 Files skipped from review as they are similar to previous changes (28)

• bindata/external-secrets/resources/deployment_external-secrets-webhook.yml
• bindata/external-secrets/resources/service_external-secrets-cert-controller-metrics.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets-webhook.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-servicebindings.yml
• go.mod
• bindata/external-secrets/resources/deployment_external-secrets.yml
• config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/certificate_external-secrets-webhook.yml
• bundle/manifests/generators.external-secrets.io_stssessiontokens.yaml
• config/crd/bases/customresourcedefinition_generatorstates.generators.external-secrets.io.yml
• bindata/external-secrets/resources/rolebinding_external-secrets-leaderelection.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-view.yml
• bundle/manifests/generators.external-secrets.io_grafanas.yaml
• bundle/manifests/generators.external-secrets.io_webhooks.yaml
• bindata/external-secrets/resources/serviceaccount_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/service_external-secrets-webhook.yml
• bindata/external-secrets/resources/service_external-secrets-metrics.yml
• Makefile
• config/crd/bases/customresourcedefinition_grafanas.generators.external-secrets.io.yml
• bindata/external-secrets/resources/secret_external-secrets-webhook.yml
• bindata/external-secrets/resources/serviceaccount_external-secrets.yml
• bindata/external-secrets/resources/validatingwebhookconfiguration_secretstore-validate.yml
• bundle/manifests/generators.external-secrets.io_passwords.yaml
• bindata/external-secrets/resources/role_external-secrets-leaderelection.yml
• bundle/manifests/external-secrets.io_clusterpushsecrets.yaml
• bindata/external-secrets/resources/clusterrole_external-secrets-edit.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-cert-controller.yml
• bundle/manifests/external-secrets.io_pushsecrets.yaml

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml
• bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml
• bundle/manifests/generators.external-secrets.io_generatorstates.yaml
• config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml
• pkg/operator/assets/bindata.go
• config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml
• bundle/manifests/external-secrets.io_externalsecrets.yaml
• config/crd/bases/customresourcedefinition_clustersecretstores.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml
• bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml
• bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml
• bundle/manifests/generators.external-secrets.io_clustergenerators.yaml
• config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml
• bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml
• config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml
• config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml
• bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml
• config/crd/bases/customresourcedefinition_secretstores.external-secrets.io.yml
• bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml
• bundle/manifests/external-secrets.io_clustersecretstores.yaml
• bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml
• config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml
• bundle/manifests/external-secrets.io_secretstores.yaml

🔇 Additional comments (57)

bundle/manifests/generators.external-secrets.io_githubaccesstokens.yaml (2)

5-5: LGTM: Controller-gen version bump.

The annotation update from v0.18.0 to v0.19.0 aligns with the upstream bump mentioned in the PR objectives.

---

46-47: LGTM: Documentation improvements enhance clarity.

The added descriptions for GithubAccessTokenSpec, privateKey, and secretRef fields improve user understanding of the CRD. The correction of "Github" to "GitHub" ensures proper brand name capitalization.

Also applies to: 55-56, 60-60, 109-109

config/crd/bases/customresourcedefinition_ecrauthorizationtokens.generators.external-secrets.io.yml (2)

27-60: LGTM! Documentation improvements enhance API clarity.

The OpenAPI schema description updates accurately reflect the resource structure and improve developer understanding:

• Line 27 correctly describes the ECRAuthorizationToken resource (not just the spec)
• Line 51 provides clear context for the spec's purpose
• Lines 57 & 60 use precise, consistent terminology for authentication fields

---

6-6: All CRD files in the repository are already consistently using controller-gen v0.19.0 across all 24 CRD definitions. No inconsistencies detected.

bindata/external-secrets/resources/validatingwebhookconfiguration_externalsecret-validate.yml (1)

9-9: LGTM! Version label correctly updated.

The version label update to "v0.20.4" aligns with the PR objectives for the upstream bump and is consistent with the coordinated release process described in the summary.

bundle/manifests/generators.external-secrets.io_generatorstates.yaml (2)

35-36: LGTM! Improved CRD documentation.

The added OpenAPI schema descriptions enhance the CRD documentation and follow Kubernetes conventions. These descriptions will help users better understand the GeneratorState resource structure.

Also applies to: 56-57, 85-86, 90-91, 103-104

---

5-5: The kubebuilder version update to v0.19.0 is consistent across all CRDs in the bundle/manifests directory (all 23 CRD manifests use the same version). No action required.

bundle/manifests/generators.external-secrets.io_ecrauthorizationtokens.yaml (1)

5-5: LGTM! Documentation improvements enhance clarity.

The changes appropriately:

• Bump the controller-gen version to v0.19.0 (expected for upstream dependency updates)
• Correct the top-level description to reference ECRAuthorizationToken rather than ECRAuthorizationTokenSpec
• Add helpful spec-level description
• Improve clarity and conciseness of auth.jwt and serviceAccountRef descriptions

All changes are non-functional documentation enhancements that improve the CRD's self-documenting nature without altering schema validation or behavior.

Also applies to: 27-31, 51-52, 58-59, 62-63

bundle/manifests/generators.external-secrets.io_quayaccesstokens.yaml (2)

47-48: LGTM: Documentation improvement.

The added description enhances the CRD's OpenAPI documentation without changing functionality. This is consistent with similar improvements across other generator CRDs in this PR.

---

5-5: Controller-gen version is consistent across all CRD files and properly pinned in go.mod.

All 48 CRD files in both config/crd/bases/ and bundle/manifests/ use v0.19.0, and the dependency in go.mod (sigs.k8s.io/controller-tools v0.19.0) matches. The version bump has been applied uniformly throughout the codebase with no mismatches.

config/crd/bases/customresourcedefinition_quayaccesstokens.generators.external-secrets.io.yml (1)

6-6: LGTM: Consistent CRD updates.

These changes mirror those in the bundle manifest:

• Controller-gen version bump to v0.19.0 (verification requested in bundle manifest review)
• Spec description addition for improved documentation

Both are non-functional improvements appropriate for a version bump/rebase.

Also applies to: 46-46

bundle/manifests/generators.external-secrets.io_clustergenerators.yaml (3)

219-268: LGTM! CloudsmithAccessToken generator is well-structured.

The new CloudsmithAccessToken generator follows the same patterns as existing token generators (QuayAccessToken, GithubAccessToken). The schema properly marks required fields (orgSlug, serviceAccountRef, serviceSlug) and includes appropriate validation patterns. The serviceAccountRef structure is consistent with other service account references throughout the CRD.

---

519-639: LGTM! Workload identity federation support is comprehensive.

The new workloadIdentityFederation configuration for GCP authentication is well-designed with:

• Support for multiple identity providers (Kubernetes, AWS)
• Proper validation patterns and constraints
• Clear documentation of conditional requirements
• Consistent structure with other authentication methods in the CRD

The schema appropriately handles the complexity of federated authentication workflows.

---

5-5: LGTM! Schema extensions are well-integrated.

The additional changes enhance the CRD with useful capabilities:

• AzureStackCloud environment type extends Azure support
• Password encoding options (base64, base64url, base32, hex, raw) with sensible default
• Vault cert auth path configuration with default value
• Check-And-Set (CAS) support for Vault KV v2 prevents unintentional overwrites

All changes are backward-compatible additions that follow existing patterns. The controller-gen version bump to v0.19.0 is routine maintenance for the code generation tool.

Also applies to: 192-192, 877-893, 1301-1306, 1865-1876, 2208-2208

pkg/operator/assets/bindata.go (4)

434-434: LGTM: Version labels updated consistently.

All version labels have been systematically updated from v0.19.0 to v0.20.4 across resources, and bitwarden-sdk-server from v0.5.0 to v0.5.1.

Also applies to: 474-474, 572-572, 739-739, 809-809, 846-846, 912-912, 947-947, 1059-1059, 1073-1073, 1141-1141, 1155-1155, 1232-1232, 1246-1246, 1306-1306, 1360-1360, 1396-1396, 1462-1462, 1500-1500, 1538-1538, 1609-1609, 1637-1637, 1665-1665, 1692-1692, 1737-1737

---

630-630: LGTM: New generator resource added.

The cloudsmithaccesstokens generator resource has been properly added to controller, edit, and view RBAC roles following the established pattern for generator resources.

Also applies to: 762-762, 868-868

---

1545-1545: Good: Named port reference improves maintainability.

Replacing the hardcoded port 10250 with the named port "webhook" is a best practice that improves clarity and maintainability.

---

513-520: Endpointslices permission is justified; namespace update/patch requires clarification.

The endpointslices read access (lines 513-520) is necessary for the cert-controller to discover endpoints, as shown in the source manifest. However, the namespace update/patch permissions (lines 658-664) are declared in the controller manifest but no direct usage of updating Namespace objects is visible in the controller code. The updateNamespace() function only sets the namespace field on other objects client-side. Clarify whether these namespace write permissions are needed for the current v0.20.4 functionality or are intended for future features.

bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml (1)

10-10: LGTM: Version labels consistently updated.

The version labels in both metadata and pod template are correctly synchronized to v0.20.4, which aligns with the PR objective of bumping to v0.20.x.

Also applies to: 24-24

config/crd/bases/customresourcedefinition_webhooks.generators.external-secrets.io.yml (1)

1-223: LGTM!

The CRD updates are consistent with the broader PR pattern: controller-gen v0.19.0 bump and improved SecretKeySelector descriptions for webhook auth fields. Schema structure is sound.

config/crd/bases/customresourcedefinition_passwords.generators.external-secrets.io.yml (1)

60-76: LGTM!

The new encoding field is well-designed with a sensible default (raw), comprehensive enum values covering common encoding formats, and clear documentation for each option.

bundle/manifests/generators.external-secrets.io_acraccesstokens.yaml (1)

178-191: LGTM!

The addition of AzureStackCloud to the environmentType enum appropriately extends Azure cloud environment support. The description update and enum expansion are consistent with the PR's broader schema enrichments.

config/crd/bases/customresourcedefinition_pushsecrets.external-secrets.io.yml (2)

186-203: LGTM!

The CloudsmithAccessToken addition to the generatorRef.kind enum is consistent with the broader PR pattern extending generator support across all relevant CRDs.

---

301-304: LGTM!

The finalizers field addition to template.metadata allows users to specify finalizers on generated secrets, providing better lifecycle management capabilities.

config/crd/bases/customresourcedefinition_gcraccesstokens.generators.external-secrets.io.yml (1)

125-237: LGTM!

The new workloadIdentityFederation block is well-structured, enabling federated authentication with GCP via external identity providers (AWS, Kubernetes). Key highlights:

• Clear audience configuration for STS
• AWS credentials referenced via Secret with documented key naming conventions
• ConfigMap-based credential config for external account setup
• Consistent validation patterns across all reference fields

config/crd/bases/customresourcedefinition_githubaccesstokens.generators.external-secrets.io.yml (1)

1-116: LGTM!

The CRD updates are documentation improvements aligning with the PR's SecretKeySelector terminology standardization. The GitHub URL description capitalization fix is appropriate.

config/crd/bases/customresourcedefinition_acraccesstokens.generators.external-secrets.io.yml (1)

168-181: LGTM!

The AzureStackCloud addition to the environmentType enum is consistent with the bundle manifest and enables support for Azure Stack environments.

config/crd/bases/customresourcedefinition_externalsecrets.external-secrets.io.yml (1)

293-321: LGTM!

The expanded merge rewrite options (conflictPolicy, priorityPolicy, strategy enums) provide more granular control over secret key merging behavior in v1.

config/crd/bases/customresourcedefinition_vaultdynamicsecrets.generators.external-secrets.io.yml (2)

6-6: Controller-gen version bump looks good.

Version bump to v0.19.0 aligns with the upstream v0.20.x bump mentioned in PR objectives.

---

185-190: New path field for cert auth is consistent with other auth backends.

This follows the same pattern as approle.path, jwt.path, ldap.path, and userpass.path, providing a sensible default of "cert" while allowing customization when the cert auth backend is mounted at a non-default path.

config/crd/bases/customresourcedefinition_clustergenerators.generators.external-secrets.io.yml (5)

176-180: AzureStackCloud addition extends Azure support appropriately.

Adding AzureStackCloud to the environmentType enum enables users to authenticate against Azure Stack environments, which is valuable for private/hybrid cloud deployments.

---

206-250: New CloudsmithAccessToken generator spec is well-structured.

The schema properly requires essential fields (orgSlug, serviceAccountRef, serviceSlug) while making apiUrl optional with a sensible default. The serviceAccountRef follows the established ServiceAccountSelector pattern used elsewhere in the codebase.

---

487-599: Comprehensive workloadIdentityFederation configuration for GCP.

This block provides flexible federation options:

• serviceAccountRef for Kubernetes-based identity
• awsSecurityCredentials for cross-cloud federation with proper secret handling
• credConfig for external account credential configuration via ConfigMap

The field validations (minLength, maxLength, patterns) are consistent with other reference fields in the CRD.

---

817-833: Password encoding options are well-defined.

The new encoding field with enum values (base64, base64url, base32, hex, raw) and a sensible default of raw provides useful flexibility for generated passwords without breaking existing behavior.

---

2076-2093: CloudsmithAccessToken added to generator kind enum.

This properly extends the supported generator types to include the new Cloudsmith integration.

bindata/external-secrets/resources/clusterrolebinding_external-secrets-controller.yml (1)

9-9: LGTM!

Version label update to v0.20.4 is consistent with the upstream bump objective.

bindata/external-secrets/resources/clusterrole_external-secrets-cert-controller.yml (1)

9-9: LGTM!

Version label updated to v0.20.4 and new endpointslices permission added for the cert-controller. The endpointslices rule complements the existing endpoints rule and aligns with Kubernetes API evolution for service discovery.

Also applies to: 48-55

config/crd/bases/customresourcedefinition_stssessiontokens.generators.external-secrets.io.yml (1)

6-6: LGTM!

Kubebuilder annotation version bump to v0.19.0 and description refinements for STSSessionToken CRD. Changes are cosmetic improvements for consistency with upstream terminology.

Also applies to: 50-50, 56-56, 59-59

bindata/external-secrets/resources/clusterrole_external-secrets-controller.yml (2)

67-67: LGTM!

Addition of cloudsmithaccesstokens to the generators resources list aligns with the new CloudsmithAccessToken generator support introduced in v0.20.x.

---

95-101: Verify the namespace update/patch permissions are documented as required by upstream external-secrets v0.20.x.

External-secrets v0.20 does include namespace-related feature changes, but upstream documentation does not clearly justify why the controller needs cluster-wide namespace update and patch permissions. Confirm this permission scope is intentional and necessary before accepting.

config/crd/bases/customresourcedefinition_clusterexternalsecrets.external-secrets.io.yml (3)

6-6: LGTM!

Kubebuilder annotation updated to v0.19.0 and CloudsmithAccessToken correctly added to generatorRef.kind enum in the v1 schema. The v1beta1 schema intentionally omits this new generator type as it's deprecated.

Also applies to: 156-156, 391-391

---

546-549: LGTM!

The new finalizers field in template.metadata enables custom finalizer management on generated Secrets, providing better lifecycle control.

---

308-336: LGTM!

New merge rewrite options (priorityPolicy with IgnoreNotFound/Strict, and refined conflictPolicy enum) provide more granular control over secret key merging behavior.

bundle/manifests/generators.external-secrets.io_gcraccesstokens.yaml (1)

131-249: LGTM!

The new workloadIdentityFederation section provides a comprehensive configuration for federated access token generation, supporting:

• Kubernetes ServiceAccount token federation (serviceAccountRef)
• AWS cross-cloud federation (awsSecurityCredentials)
• External credential configuration via ConfigMap (credConfig)

The schema includes proper validation patterns and required field specifications.

config/crd/bases/customresourcedefinition_clusterpushsecrets.external-secrets.io.yml (1)

260-260: LGTM!

CloudsmithAccessToken added to generatorRef.kind enum and finalizers field added to template.metadata, consistent with the schema extensions applied to other CRDs in this PR.

Also applies to: 372-375

bundle/manifests/external-secrets.io_externalsecrets.yaml (3)

148-148: LGTM!

CloudsmithAccessToken added to generatorRef.kind enums and finalizers field added to template.metadata, consistent with the schema extensions across all CRDs in this PR.

Also applies to: 396-396, 556-559

---

726-730: LGTM!

The new selectableFields section enables field-based filtering for ExternalSecret resources using Kubernetes field selectors. This is a useful enhancement for operators managing large numbers of ExternalSecrets.

---

702-706: LGTM!

The ExternalSecretConditionType enum now explicitly defines Ready and Deleted as valid condition types, improving schema validation.

bundle/manifests/generators.external-secrets.io_vaultdynamicsecrets.yaml (4)

5-5: LGTM!

Standard controller-gen version bump aligns with the upstream dependency update.

---

26-27: LGTM!

Helpful documentation additions for the CRD schema.

Also applies to: 47-47

---

191-196: LGTM!

The new path field for cert auth follows the same pattern as other authentication methods (appRole, jwt, ldap, kubernetes, userPass) and maintains backward compatibility with the sensible default.

---

751-762: LGTM!

The Check-And-Set (CAS) feature is a valuable security enhancement for PushSecret operations, helping prevent race conditions and unintentional overwrites in Vault KV v2 stores. The schema is correctly structured and the feature is properly scoped as optional.

bundle/manifests/external-secrets.io_clusterexternalsecrets.yaml (5)

5-5: LGTM: controller-gen version bump.

The update to v0.19.0 aligns with the upstream bump mentioned in the PR objectives.

---

325-357: LGTM: Enhanced merge rewrite configuration.

The additions to the merge rewrite configuration are well-structured:

• conflictPolicy defines conflict resolution behavior
• priorityPolicy (new field) handles missing priority keys with a sensible default of "Strict"
• strategy controls merge behavior with appropriate default "Extract"

All fields have appropriate defaults ensuring backwards compatibility.

---

577-580: LGTM: Finalizers field added to template metadata.

The addition of the finalizers field to template.metadata allows users to specify finalizers on generated Secrets, which aligns with standard Kubernetes metadata structures. This field is appropriately:

• Added only to v1 (not the deprecated v1beta1)
• Defined as an optional array
• Backwards compatible with existing resources

---

221-223: LGTM: Documentation improvements throughout the CRD.

The description updates across the schema provide clearer, more precise documentation for:

• ExternalSecretDataFromRemoteRef and ExternalSecretRewrite behavior
• Template-related fields (TemplateFrom, TemplateRef, TemplateScope, TemplateTarget, TemplateMergePolicy)
• Status condition types
• Target configuration

These changes improve API usability and developer experience without any functional impact.

Also applies to: 311-312, 507-509, 563-564, 588-679, 816-817, 824-825, 881-881, 1063-1064, 1152-1153, 1359-1360, 1380-1472, 1608-1609, 1616-1617

---

166-166: CloudsmithAccessToken is a supported generator type. The addition to the generatorRef.kind enum is correct. The CloudsmithAccessToken generator is defined in its own CRD at config/crd/bases/customresourcedefinition_cloudsmithaccesstokens.generators.external-secrets.io.yml and consistently added across all generator-referencing CRDs (ExternalSecrets, ClusterExternalSecrets, PushSecrets, etc.). It generates Cloudsmith access tokens using OIDC authentication with configurable API URL, organization slug, and service slug fields. The addition to v1 only (not v1beta1) is appropriate.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify external-secrets v0.20.4 image and check for security advisories

echo "=== Checking image availability ==="
# Check if crane is available
if ! command -v crane &> /dev/null; then
  echo "crane not available, attempting to install..."
  pip install go-crane 2>/dev/null || echo "Cannot install crane"
fi

# Try to fetch image metadata
if command -v crane &> /dev/null; then
  crane digest oci.external-secrets.io/external-secrets/external-secrets:v0.20.4 2>&1 | head -10
else
  echo "crane unavailable, checking via curl"
  curl -s -I https://oci.external-secrets.io/v2/external-secrets/external-secrets/manifests/v0.20.4 2>&1 | head -5
fi

echo -e "\n=== Checking GitHub release information ==="
# Check if gh CLI is available
if command -v gh &> /dev/null; then
  echo "GitHub CLI available - skipping due to auth requirements"
else
  echo "gh CLI not available in sandbox"
fi

echo -e "\n=== Checking via public GitHub API (no auth) ==="
# Fetch external-secrets releases data
curl -s "https://api.github.com/repos/external-secrets/external-secrets/releases?per_page=20" | \
  python3 -c "
import sys, json
try:
    data = json.load(sys.stdin)
    for release in data:
        tag = release.get('tag_name', '')
        if tag in ['v0.20.4', 'v0.20.3', 'v0.20.2', 'v0.20.1', 'v0.20.0', 'v0.19.0']:
            print(f\"Tag: {tag}\")
            print(f\"Published: {release.get('published_at', '')}\")
            print(f\"Prerelease: {release.get('prerelease', False)}\")
            print(f\"Body (first 300 chars): {release.get('body', '')[:300]}\")
            print('---')
except Exception as e:
    print(f'Error: {e}')
" 2>&1

echo -e "\n=== Checking external-secrets documentation and GitHub repo ==="
# Get basic repo info
curl -s "https://api.github.com/repos/external-secrets/external-secrets" | \
  python3 -c "
import sys, json
try:
    data = json.load(sys.stdin)
    print(f\"Repo: {data.get('full_name', '')}\")
    print(f\"Description: {data.get('description', '')}\")
    print(f\"Latest release: {data.get('latest_release', {}).get('tag_name', 'N/A')}\")
    print(f\"Stars: {data.get('stargazers_count', '')}\")
except Exception as e:
    print(f'Error: {e}')
" 2>&1

Repository: openshift/external-secrets-operator

Length of output: 2948

---

🏁 Script executed:

#!/bin/bash

echo "=== Fetching full release notes for v0.20.4 ==="
curl -s "https://api.github.com/repos/external-secrets/external-secrets/releases/tags/v0.20.4" | \
  python3 -c "
import sys, json
try:
    data = json.load(sys.stdin)
    print('=== v0.20.4 Release Notes ===')
    print(data.get('body', '')[:2000])
except Exception as e:
    print(f'Error: {e}')
"

echo -e "\n=== Fetching release notes for v0.20.0 (first minor version) ==="
curl -s "https://api.github.com/repos/external-secrets/external-secrets/releases/tags/v0.20.0" | \
  python3 -c "
import sys, json
try:
    data = json.load(sys.stdin)
    print('=== v0.20.0 Release Notes (first 2000 chars) ===')
    print(data.get('body', '')[:2000])
except Exception as e:
    print(f'Error: {e}')
"

echo -e "\n=== Checking for image location documentation ==="
# Check if there's any documentation or CHANGELOG about image registries
curl -s "https://raw.githubusercontent.com/external-secrets/external-secrets/main/README.md" | grep -i "ghcr\|oci\|registry\|image" | head -20

Repository: openshift/external-secrets-operator

Length of output: 4427

---

🏁 Script executed:

#!/bin/bash

echo "=== Checking for oci.external-secrets.io in official docs/config ==="
# Check main README
curl -s "https://raw.githubusercontent.com/external-secrets/external-secrets/main/README.md" | grep -i "oci.external-secrets" | head -10

echo -e "\n=== Checking helm chart values ==="
# Check if helm chart (which deploys this) mentions the registry
curl -s "https://raw.githubusercontent.com/external-secrets/external-secrets/main/deploy/helm-chart/values.yaml" | grep -i "registry\|image" -A2 -B2 | head -40

echo -e "\n=== Checking CHANGELOG for registry changes ==="
curl -s "https://raw.githubusercontent.com/external-secrets/external-secrets/main/CHANGELOG.md" | grep -i "oci\|registry" | head -10

echo -e "\n=== Checking if repository is external-secrets-operator (OpenShift specific) ==="
# This repository appears to be openshift/external-secrets-operator, not external-secrets/external-secrets
# Check if there's documentation about oci.external-secrets.io
curl -s "https://raw.githubusercontent.com/openshift/external-secrets-operator/main/README.md" 2>/dev/null | grep -i "oci\|registry\|image" | head -20

Repository: openshift/external-secrets-operator

Length of output: 1002

---

🏁 Script executed:

#!/bin/bash

echo "=== Checking file location and context ==="
file_path="bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml"

# Check if this file exists and its context
find . -name "deployment_external-secrets-cert-controller.yml" 2>/dev/null

echo -e "\n=== Checking if this is part of bindata/vendor pattern ==="
ls -la bindata/external-secrets/resources/ 2>/dev/null | head -20

echo -e "\n=== Checking for registry configuration in OpenShift operator ==="
find . -type f \( -name "*.go" -o -name "*.yaml" -o -name "*.md" \) -path "*/external-secrets/*" 2>/dev/null | head -20 | xargs grep -l "oci.external-secrets.io" 2>/dev/null

echo -e "\n=== Checking OpenShift operator image references ==="
grep -r "oci.external-secrets.io" . --include="*.yml" --include="*.yaml" 2>/dev/null | head -10

echo -e "\n=== Checking if bindata contains vendored/bundled manifests ==="
head -50 "bindata/external-secrets/resources/deployment_external-secrets-cert-controller.yml" 2>/dev/null

Repository: openshift/external-secrets-operator

Length of output: 4741

---

🏁 Script executed:

#!/bin/bash

echo "=== Comparing version references across files ==="
echo "bindata deployments:"
grep -h "v0\.[0-9]\+\.[0-9]\+" bindata/external-secrets/resources/deployment*.yml | grep -i image | sort -u

echo -e "\n=== config/manager version references ==="
grep -r "external-secrets:" config/manager/ 2>/dev/null | grep -v ".swp"

echo -e "\n=== bundle/manifests version references ==="
grep "external-secrets:" bundle/manifests/external-secrets-operator.clusterserviceversion.yaml 2>/dev/null | sort -u

echo -e "\n=== Check if this PR is supposed to update all files ==="
# Look for any documentation or PR guidelines about versioning
find . -name "*.md" -o -name "CONTRIBUTING*" -o -name "DEVELOPMENT*" 2>/dev/null | xargs grep -l "version\|update" 2>/dev/null | head -5

Repository: openshift/external-secrets-operator

Length of output: 884

---

Update all version references consistently; verify image registry alignment with upstream sources.

This PR updates bindata deployments to v0.20.4 but leaves config/manager/manager.yaml and bundle/manifests/external-secrets-operator.clusterserviceversion.yaml at v0.19.0. This inconsistency will cause different components to run different versions.

Additionally, the deployment uses oci.external-secrets.io registry while the official external-secrets project publishes images to ghcr.io. This registry is not documented in the upstream project and cannot be verified as an official source. Confirm whether:

• All version references should be updated to v0.20.4, or if a phased rollout is intentional
• oci.external-secrets.io is an approved/documented image source (e.g., OpenShift vendor mirror), or if it should align with upstream's ghcr.io

[openshift-ci]

@siddhibhor-56: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.