chore: Update manifests after change

2026-05-15 16:36:46 +00:00
parent b3af9239ca
commit d12dfb2338
29 changed files with 337 additions and 63 deletions
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-cert-controller.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-cert-controller.yaml
@@ -3,10 +3,10 @@ kind: ClusterRole
 metadata:
  name: external-secrets-cert-controller
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "cert-controller"
 rules:
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-controller.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-controller.yaml
@@ -3,10 +3,10 @@ kind: ClusterRole
 metadata:
  name: external-secrets-controller
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 rules:
  - apiGroups:
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-edit.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-edit.yaml
@@ -3,10 +3,10 @@ kind: ClusterRole
 metadata:
  name: external-secrets-edit
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-servicebindings.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-servicebindings.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-servicebindings
  labels:
    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 rules:
  - apiGroups:
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-view.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRole-external-secrets-view.yaml
@@ -3,10 +3,10 @@ kind: ClusterRole
 metadata:
  name: external-secrets-view
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRoleBinding-external-secrets-cert-controller.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRoleBinding-external-secrets-cert-controller.yaml
@@ -3,10 +3,10 @@ kind: ClusterRoleBinding
 metadata:
  name: external-secrets-cert-controller
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "cert-controller"
 roleRef:
--- a/clusters/cl01tl/manifests/external-secrets/ClusterRoleBinding-external-secrets-controller.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ClusterRoleBinding-external-secrets-controller.yaml
@@ -3,10 +3,10 @@ kind: ClusterRoleBinding
 metadata:
  name: external-secrets-controller
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
--- a/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-clustergenerators.generators.external-secrets.io.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-clustergenerators.generators.external-secrets.io.yaml
@@ -564,6 +564,18 @@ spec:
                                    credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                    URL is having the expected value.
                                  type: string
                                gcpServiceAccountEmail:
                                  description: |-
                                    GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
                                    after Workload Identity Federation. Use this to grant access through the service account's
                                    IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
                                    service_account_impersonation_url in the external account JSON from credConfig;
                                    when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
                                    on that ServiceAccount.
                                  example: my-gsa@my-project.iam.gserviceaccount.com
                                  minLength: 1
                                  pattern: ^.*@.*\.iam\.gserviceaccount\.com$
                                  type: string
                                serviceAccountRef:
                                  description: |-
                                    serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
--- a/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-clustersecretstores.external-secrets.io.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-clustersecretstores.external-secrets.io.yaml
@@ -486,6 +486,16 @@ spec:
                                  type: object
                              type: object
                          type: object
                        customSessionTags:
                          additionalProperties:
                            type: string
                          description: |-
                            CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
                            These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
                          type: object
                          x-kubernetes-validations:
                            - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
                              rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
                        externalID:
                          description: AWS External ID set on assumed IAM roles
                          type: string
@@ -541,6 +551,19 @@ spec:
                              - value
                            type: object
                          type: array
                        sessionTagsPolicy:
                          default: None
                          description: |-
                            SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
                            None (default): no tags are added.
                            Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
                            Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
                            Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
                          enum:
                            - None
                            - Simple
                            - Custom
                          type: string
                        transitiveTagKeys:
                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
                          items:
@@ -1995,6 +2018,18 @@ spec:
                                    credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                    URL is having the expected value.
                                  type: string
                                gcpServiceAccountEmail:
                                  description: |-
                                    GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
                                    after Workload Identity Federation. Use this to grant access through the service account's
                                    IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
                                    service_account_impersonation_url in the external account JSON from credConfig;
                                    when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
                                    on that ServiceAccount.
                                  example: my-gsa@my-project.iam.gserviceaccount.com
                                  minLength: 1
                                  pattern: ^.*@.*\.iam\.gserviceaccount\.com$
                                  type: string
                                serviceAccountRef:
                                  description: |-
                                    serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
@@ -4223,7 +4258,10 @@ spec:
                      description: Pulumi configures this store to sync secrets using the Pulumi provider
                      properties:
                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
+                          description: |-
                            AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
                            Deprecated: Use auth.accessToken instead.
                          properties:
                            secretRef:
                              description: SecretRef is a reference to a secret containing the Pulumi API token.
@@ -4256,6 +4294,91 @@ spec:
                          default: https://api.pulumi.com/api/esc
                          description: APIURL is the URL of the Pulumi API.
                          type: string
                        auth:
                          description: |-
                            Auth configures how the Operator authenticates with the Pulumi API.
                            Either auth or the deprecated accessToken field must be specified.
                          properties:
                            accessToken:
                              description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
                              properties:
                                secretRef:
                                  description: SecretRef is a reference to a secret containing the Pulumi API token.
                                  properties:
                                    key:
                                      description: |-
                                        A key in the referenced Secret.
                                        Some instances of this field may be defaulted, in others it may be required.
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[-._a-zA-Z0-9]+$
                                      type: string
                                    name:
                                      description: The name of the Secret resource being referred to.
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                    namespace:
                                      description: |-
                                        The namespace of the Secret resource being referred to.
                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                      maxLength: 63
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                      type: string
                                  type: object
                              type: object
                            oidcConfig:
                              description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
                              properties:
                                expirationSeconds:
                                  default: 600
                                  description: |-
                                    ExpirationSeconds sets the token validity duration for service account and OIDC token.
                                    Defaults to 10 minutes.
                                  format: int64
                                  minimum: 600
                                  type: integer
                                organization:
                                  description: Organization is the name of the Pulumi organization configured for OIDC authentication.
                                  type: string
                                serviceAccountRef:
                                  description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
                                  properties:
                                    audiences:
                                      description: |-
                                        Audience specifies the `aud` claim for the service account token
                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                        then this audiences will be appended to the list
                                      items:
                                        type: string
                                      type: array
                                    name:
                                      description: The name of the ServiceAccount resource being referred to.
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the resource being referred to.
                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                      maxLength: 63
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                      type: string
                                  required:
                                    - name
                                  type: object
                              required:
                                - organization
                                - serviceAccountRef
                              type: object
                          type: object
                          x-kubernetes-validations:
                            - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
                              rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
                        environment:
                          description: |-
                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
@@ -4272,11 +4395,13 @@ spec:
                          description: Project is the name of the Pulumi ESC project the environment belongs to.
                          type: string
                      required:
                        - accessToken
                        - environment
                        - organization
                        - project
                      type: object
                      x-kubernetes-validations:
                        - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
                          rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
                    scaleway:
                      description: Scaleway configures this store to sync secrets using the Scaleway provider.
                      properties:
--- a/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-gcraccesstokens.generators.external-secrets.io.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-gcraccesstokens.generators.external-secrets.io.yaml
@@ -202,6 +202,18 @@ spec:
                            credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                            URL is having the expected value.
                          type: string
                        gcpServiceAccountEmail:
                          description: |-
                            GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
                            after Workload Identity Federation. Use this to grant access through the service account's
                            IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
                            service_account_impersonation_url in the external account JSON from credConfig;
                            when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
                            on that ServiceAccount.
                          example: my-gsa@my-project.iam.gserviceaccount.com
                          minLength: 1
                          pattern: ^.*@.*\.iam\.gserviceaccount\.com$
                          type: string
                        serviceAccountRef:
                          description: |-
                            serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
--- a/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-secretstores.external-secrets.io.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/CustomResourceDefinition-secretstores.external-secrets.io.yaml
@@ -486,6 +486,16 @@ spec:
                                  type: object
                              type: object
                          type: object
                        customSessionTags:
                          additionalProperties:
                            type: string
                          description: |-
                            CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
                            These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
                          type: object
                          x-kubernetes-validations:
                            - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
                              rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
                        externalID:
                          description: AWS External ID set on assumed IAM roles
                          type: string
@@ -541,6 +551,19 @@ spec:
                              - value
                            type: object
                          type: array
                        sessionTagsPolicy:
                          default: None
                          description: |-
                            SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
                            None (default): no tags are added.
                            Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
                            Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
                            Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
                          enum:
                            - None
                            - Simple
                            - Custom
                          type: string
                        transitiveTagKeys:
                          description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
                          items:
@@ -1995,6 +2018,18 @@ spec:
                                    credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                    URL is having the expected value.
                                  type: string
                                gcpServiceAccountEmail:
                                  description: |-
                                    GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
                                    after Workload Identity Federation. Use this to grant access through the service account's
                                    IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
                                    service_account_impersonation_url in the external account JSON from credConfig;
                                    when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
                                    on that ServiceAccount.
                                  example: my-gsa@my-project.iam.gserviceaccount.com
                                  minLength: 1
                                  pattern: ^.*@.*\.iam\.gserviceaccount\.com$
                                  type: string
                                serviceAccountRef:
                                  description: |-
                                    serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
@@ -4223,7 +4258,10 @@ spec:
                      description: Pulumi configures this store to sync secrets using the Pulumi provider
                      properties:
                        accessToken:
-                          description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
+                          description: |-
                            AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
                            Deprecated: Use auth.accessToken instead.
                          properties:
                            secretRef:
                              description: SecretRef is a reference to a secret containing the Pulumi API token.
@@ -4256,6 +4294,91 @@ spec:
                          default: https://api.pulumi.com/api/esc
                          description: APIURL is the URL of the Pulumi API.
                          type: string
                        auth:
                          description: |-
                            Auth configures how the Operator authenticates with the Pulumi API.
                            Either auth or the deprecated accessToken field must be specified.
                          properties:
                            accessToken:
                              description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
                              properties:
                                secretRef:
                                  description: SecretRef is a reference to a secret containing the Pulumi API token.
                                  properties:
                                    key:
                                      description: |-
                                        A key in the referenced Secret.
                                        Some instances of this field may be defaulted, in others it may be required.
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[-._a-zA-Z0-9]+$
                                      type: string
                                    name:
                                      description: The name of the Secret resource being referred to.
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                    namespace:
                                      description: |-
                                        The namespace of the Secret resource being referred to.
                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                      maxLength: 63
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                      type: string
                                  type: object
                              type: object
                            oidcConfig:
                              description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
                              properties:
                                expirationSeconds:
                                  default: 600
                                  description: |-
                                    ExpirationSeconds sets the token validity duration for service account and OIDC token.
                                    Defaults to 10 minutes.
                                  format: int64
                                  minimum: 600
                                  type: integer
                                organization:
                                  description: Organization is the name of the Pulumi organization configured for OIDC authentication.
                                  type: string
                                serviceAccountRef:
                                  description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
                                  properties:
                                    audiences:
                                      description: |-
                                        Audience specifies the `aud` claim for the service account token
                                        If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                        then this audiences will be appended to the list
                                      items:
                                        type: string
                                      type: array
                                    name:
                                      description: The name of the ServiceAccount resource being referred to.
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                    namespace:
                                      description: |-
                                        Namespace of the resource being referred to.
                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                      maxLength: 63
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                      type: string
                                  required:
                                    - name
                                  type: object
                              required:
                                - organization
                                - serviceAccountRef
                              type: object
                          type: object
                          x-kubernetes-validations:
                            - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
                              rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
                        environment:
                          description: |-
                            Environment are YAML documents composed of static key-value pairs, programmatic expressions,
@@ -4272,11 +4395,13 @@ spec:
                          description: Project is the name of the Pulumi ESC project the environment belongs to.
                          type: string
                      required:
                        - accessToken
                        - environment
                        - organization
                        - project
                      type: object
                      x-kubernetes-validations:
                        - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
                          rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
                    scaleway:
                      description: Scaleway configures this store to sync secrets using the Scaleway provider.
                      properties:
--- a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-cert-controller.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-cert-controller.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-cert-controller
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "cert-controller"
 spec:
@@ -20,10 +20,10 @@ spec:
  template:
    metadata:
      labels:
-        helm.sh/chart: external-secrets-2.4.1
+        helm.sh/chart: external-secrets-2.5.0
        app.kubernetes.io/name: external-secrets-cert-controller
        app.kubernetes.io/instance: external-secrets
-        app.kubernetes.io/version: "v2.4.1"
+        app.kubernetes.io/version: "v2.5.0"
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/metrics: "cert-controller"
    spec:
@@ -42,7 +42,7 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: ghcr.io/external-secrets/external-secrets:v2.4.1@sha256:9440a40b394791a5e93f3f7e1b33399ecbdc0e38273de1d69ed83fe12936fc09
+          image: ghcr.io/external-secrets/external-secrets:v2.5.0@sha256:45e7bee4e743331288df01efce0e35b41738cffdc89c86a235359a5153257489
          imagePullPolicy: IfNotPresent
          args:
            - certcontroller
--- a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-webhook.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-webhook.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-webhook
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
 spec:
@@ -20,10 +20,10 @@ spec:
  template:
    metadata:
      labels:
-        helm.sh/chart: external-secrets-2.4.1
+        helm.sh/chart: external-secrets-2.5.0
        app.kubernetes.io/name: external-secrets-webhook
        app.kubernetes.io/instance: external-secrets
-        app.kubernetes.io/version: "v2.4.1"
+        app.kubernetes.io/version: "v2.5.0"
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/metrics: "webhook"
    spec:
@@ -42,7 +42,7 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: ghcr.io/external-secrets/external-secrets:v2.4.1@sha256:9440a40b394791a5e93f3f7e1b33399ecbdc0e38273de1d69ed83fe12936fc09
+          image: ghcr.io/external-secrets/external-secrets:v2.5.0@sha256:45e7bee4e743331288df01efce0e35b41738cffdc89c86a235359a5153257489
          imagePullPolicy: IfNotPresent
          args:
            - webhook
--- a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 3
@@ -19,10 +19,10 @@ spec:
  template:
    metadata:
      labels:
-        helm.sh/chart: external-secrets-2.4.1
+        helm.sh/chart: external-secrets-2.5.0
        app.kubernetes.io/name: external-secrets
        app.kubernetes.io/instance: external-secrets
-        app.kubernetes.io/version: "v2.4.1"
+        app.kubernetes.io/version: "v2.5.0"
        app.kubernetes.io/managed-by: Helm
    spec:
      serviceAccountName: external-secrets
@@ -40,7 +40,7 @@ spec:
            runAsUser: 1000
            seccompProfile:
              type: RuntimeDefault
-          image: ghcr.io/external-secrets/external-secrets:v2.4.1@sha256:9440a40b394791a5e93f3f7e1b33399ecbdc0e38273de1d69ed83fe12936fc09
+          image: ghcr.io/external-secrets/external-secrets:v2.5.0@sha256:45e7bee4e743331288df01efce0e35b41738cffdc89c86a235359a5153257489
          imagePullPolicy: IfNotPresent
          args:
            - --enable-leader-election=true
--- a/clusters/cl01tl/manifests/external-secrets/PodDisruptionBudget-external-secrets-pdb.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/PodDisruptionBudget-external-secrets-pdb.yaml
@@ -4,10 +4,10 @@ metadata:
  name: "external-secrets-pdb"
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 spec:
  minAvailable: 1
--- a/clusters/cl01tl/manifests/external-secrets/Role-external-secrets-leaderelection.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Role-external-secrets-leaderelection.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-leaderelection
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 rules:
  - apiGroups:
--- a/clusters/cl01tl/manifests/external-secrets/RoleBinding-external-secrets-leaderelection.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/RoleBinding-external-secrets-leaderelection.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-leaderelection
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
--- a/clusters/cl01tl/manifests/external-secrets/Secret-external-secrets-webhook.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Secret-external-secrets-webhook.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-webhook
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
    external-secrets.io/component: webhook
--- a/clusters/cl01tl/manifests/external-secrets/Service-external-secrets-cert-controller-metrics.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Service-external-secrets-cert-controller-metrics.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-cert-controller-metrics
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "cert-controller"
 spec:
--- a/clusters/cl01tl/manifests/external-secrets/Service-external-secrets-metrics.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Service-external-secrets-metrics.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-metrics
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
--- a/clusters/cl01tl/manifests/external-secrets/Service-external-secrets-webhook.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/Service-external-secrets-webhook.yaml
@@ -4,10 +4,10 @@ metadata:
  name: external-secrets-webhook
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
    external-secrets.io/component: webhook
--- a/clusters/cl01tl/manifests/external-secrets/ServiceAccount-external-secrets-cert-controller.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ServiceAccount-external-secrets-cert-controller.yaml
@@ -4,9 +4,9 @@ metadata:
  name: external-secrets-cert-controller
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "cert-controller"
--- a/clusters/cl01tl/manifests/external-secrets/ServiceAccount-external-secrets-webhook.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ServiceAccount-external-secrets-webhook.yaml
@@ -4,9 +4,9 @@ metadata:
  name: external-secrets-webhook
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
--- a/clusters/cl01tl/manifests/external-secrets/ServiceAccount-external-secrets.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ServiceAccount-external-secrets.yaml
@@ -4,8 +4,8 @@ metadata:
  name: external-secrets
  namespace: external-secrets
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
--- a/clusters/cl01tl/manifests/external-secrets/ServiceMonitor-external-secrets-cert-controller-metrics.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ServiceMonitor-external-secrets-cert-controller-metrics.yaml
@@ -2,10 +2,10 @@ apiVersion: "monitoring.coreos.com/v1"
 kind: ServiceMonitor
 metadata:
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-cert-controller
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "cert-controller"
  name: external-secrets-cert-controller-metrics
--- a/clusters/cl01tl/manifests/external-secrets/ServiceMonitor-external-secrets-metrics.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ServiceMonitor-external-secrets-metrics.yaml
@@ -2,10 +2,10 @@ apiVersion: "monitoring.coreos.com/v1"
 kind: ServiceMonitor
 metadata:
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
  name: external-secrets-metrics
  namespace: "external-secrets"
--- a/clusters/cl01tl/manifests/external-secrets/ServiceMonitor-external-secrets-webhook-metrics.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ServiceMonitor-external-secrets-webhook-metrics.yaml
@@ -2,10 +2,10 @@ apiVersion: "monitoring.coreos.com/v1"
 kind: ServiceMonitor
 metadata:
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
  name: external-secrets-webhook-metrics
--- a/clusters/cl01tl/manifests/external-secrets/ValidatingWebhookConfiguration-externalsecret-validate.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ValidatingWebhookConfiguration-externalsecret-validate.yaml
@@ -3,10 +3,10 @@ kind: ValidatingWebhookConfiguration
 metadata:
  name: externalsecret-validate
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
    external-secrets.io/component: webhook
--- a/clusters/cl01tl/manifests/external-secrets/ValidatingWebhookConfiguration-secretstore-validate.yaml
+++ b/clusters/cl01tl/manifests/external-secrets/ValidatingWebhookConfiguration-secretstore-validate.yaml
@@ -3,10 +3,10 @@ kind: ValidatingWebhookConfiguration
 metadata:
  name: secretstore-validate
  labels:
-    helm.sh/chart: external-secrets-2.4.1
+    helm.sh/chart: external-secrets-2.5.0
    app.kubernetes.io/name: external-secrets-webhook
    app.kubernetes.io/instance: external-secrets
-    app.kubernetes.io/version: "v2.4.1"
+    app.kubernetes.io/version: "v2.5.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/metrics: "webhook"
    external-secrets.io/component: webhook