chore(deps): update helm charts

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
argo-cd	helm_release	minor	9.4.17 → 9.5.0
cert-manager (source)	helm_release	patch	v1.20.1 → v1.20.2
external-secrets	helm_release	minor	2.2.0 → 2.3.0

---

Release Notes

argoproj/argo-helm (argo-cd)

v9.5.0

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• feat(argo-cd): add VPA support for all components by @​rd-michel in #​3817

New Contributors

• @​rd-michel made their first contribution in #​3817

Full Changelog: argoproj/argo-helm@argo-cd-9.4.18...argo-cd-9.5.0

v9.4.18

Compare Source

A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.

What's Changed

• chore(deps): bump the dependencies group with 2 updates by @​dependabot[bot] in #​3819
• chore(deps): update renovatebot/github-action action to v46.1.8 by @​argoproj-renovate[bot] in #​3820
• chore(argo-cd): Update quay.io/argoprojlabs/argocd-extension-installer Docker tag to v1 by @​argoproj-renovate[bot] in #​3825

Full Changelog: argoproj/argo-helm@argo-workflows-1.0.7...argo-cd-9.4.18

cert-manager/cert-manager (cert-manager)

v1.20.2

Compare Source

v1.20.2 fixes invalid YAML generated in the Helm chart when both webhook.config
and webhook.volumes are defined, and bumps Go to 1.26.2 along with dependencies
to address reported vulnerabilities.

Changes by Kind

Bug or Regression

• Helm: Fix invalid YAML generated when both webhook.config and webhook.volumes are defined. (#​8665, @​cert-manager-bot)

Other (Cleanup or Flake)

• Bump go dependencies with reported vulnerabilities (#​8704, @​erikgb)
• Bump go to 1.26.2 (#​8703, @​erikgb)

external-secrets/external-secrets (external-secrets)

v2.3.0

Compare Source

Image: ghcr.io/external-secrets/external-secrets:v2.3.0
Image: ghcr.io/external-secrets/external-secrets:v2.3.0-ubi
Image: ghcr.io/external-secrets/external-secrets:v2.3.0-ubi-boringssl

What's Changed

General

• chore: release charts v2.2.0 by @​riccardomc in #​6115
• ref(modernize): modernize go code by @​ivankatliarchuk in #​6114
• chore: bump bitwarden helm chart version to v0.6.0 by @​Skarlso in #​6118
• chore: fix EoL in compatiblity table for version 2.2 by @​riccardomc in #​6128
• docs: add missing jinja2 tags by @​MindTooth in #​6136
• fix: cached uid after deleting a store by @​Skarlso in #​6138
• feat(doppler): add ETag-based caching by @​mikesellitto in #​5997
• fix(docs): fix metadata structure in Google Secrets Manager docs by @​mruoss in #​6139
• feat: ovh provider implementation by @​ldesauw in #​6101
• feat(providers): Implement PushSecret for Delinea Secret Server by @​pr0ton11 in #​6031
• fix: propagate objectMeta and ownerReferences to target resources by @​jaruwat-panturat in #​6132
• fix(release): remove docs.check and all relative calls by @​jaruwat-panturat in #​6146
• feat: support service account impersonation when using Workload Identity Federation with a k8s service account by @​zoomoid in #​5707
• fix: remove getHostByName from template funcs by @​moolen in #​6164
• ref(kubernetes): move auth package from kubernetes to esutils by @​alekc in #​6149
• docs: fix templating.md by @​dangbert in #​6168
• fix(onepasswordsdk): support native 1Password item IDs in findItem by @​LeahArmstrong in #​6167
• docs(ovhcloud): fix heterogeneous configuration documentation by @​ldesauw in #​6169
• docs: add OVHcloud in ADOPTERS by @​scraly in #​6172
• fix(docs): resolve macro syntax error in templating guide by @​ManvithaP-hub in #​6171
• chore: rip out sprig dependency by @​Skarlso in #​6170
• chore: fix jose cve by @​Skarlso in #​6178
• docs: document correct htpasswd function usage by @​Atomsoldat in #​6177
• feat(pushsecret): add dataTo support for bulk secret pushing by @​mohamed-rekiba in #​5850
• docs: add existing blog post: ESO integration with ovhcloud secret manager with vault provider by @​scraly in #​6190
• feat: move experimental-enable-vault-token-cache out of experimental and add expiry to validation by @​sfotony in #​5397
• fix: prevent feedback loop by @​moolen in #​6021
• fix: code scanning issues by @​Skarlso in #​6063
• feat: add source null byte policy by @​knelasevero in #​6194
• fix(test): fix broken test from automerge rebase by @​knelasevero in #​6199
• fix(aws): handle empty resource policy in PushSecret for SecretsManager by @​maks3201 in #​6145
• feat(github): add orgSecretVisibility field to GithubProvider by @​iamnoah in #​6202
• feat(onepasswordSDK): multi-field and complete PushSecret by @​Dariusch in #​6187
• feat(vault): add VaultRole attribute for TLS auth by @​RicoGunawan12 in #​6160
• chore: bump go version to 1.26.2 by @​Skarlso in #​6203

Dependencies

• chore(deps): bump actions/cache from 5.0.3 to 5.0.4 by @​dependabot[bot] in #​6121
• chore(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /hack/api-docs by @​dependabot[bot] in #​6125
• chore(deps): bump ubi9/ubi from 6ed9f6f to 1fc04e8 by @​dependabot[bot] in #​6119
• chore(deps): bump azure/login from 2.3.0 to 3.0.0 by @​dependabot[bot] in #​6120
• chore(deps): bump codecov/codecov-action from 5.5.2 to 5.5.3 by @​dependabot[bot] in #​6124
• chore(deps): bump github/codeql-action from 4.32.6 to 4.34.1 by @​dependabot[bot] in #​6122
• chore(deps): bump anchore/sbom-action from 0.23.1 to 0.24.0 by @​dependabot[bot] in #​6123
• chore(deps): bump importlib-metadata from 8.7.1 to 9.0.0 in /hack/api-docs by @​dependabot[bot] in #​6126
• chore(deps): bump sigstore/cosign-installer from 4.1.0 to 4.1.1 by @​dependabot[bot] in #​6154
• chore(deps): bump pymdown-extensions from 10.21 to 10.21.2 in /hack/api-docs by @​dependabot[bot] in #​6157
• chore(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in #​6151
• chore(deps): bump github/codeql-action from 4.34.1 to 4.35.1 by @​dependabot[bot] in #​6152
• chore(deps): bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 by @​dependabot[bot] in #​6153
• chore(deps): bump pygments from 2.19.2 to 2.20.0 in /hack/api-docs by @​dependabot[bot] in #​6155
• chore(deps): bump regex from 2026.2.28 to 2026.3.32 in /hack/api-docs by @​dependabot[bot] in #​6156
• chore(deps): bump requests from 2.32.5 to 2.33.0 in /hack/api-docs by @​dependabot[bot] in #​6158
• chore(deps): bump ubi9/ubi from 1fc04e8 to 9e6e193 by @​dependabot[bot] in #​6150
• chore(deps): bump step-security/harden-runner from 2.16.0 to 2.16.1 by @​dependabot[bot] in #​6180
• chore(deps): bump charset-normalizer from 3.4.6 to 3.4.7 in /hack/api-docs by @​dependabot[bot] in #​6183
• chore(deps): bump click from 8.3.1 to 8.3.2 in /hack/api-docs by @​dependabot[bot] in #​6185
• chore(deps): bump fossas/fossa-action from 1.8.0 to 1.9.0 by @​dependabot[bot] in #​6181
• chore(deps): bump docker/login-action from 4.0.0 to 4.1.0 by @​dependabot[bot] in #​6182
• chore(deps): bump regex from 2026.3.32 to 2026.4.4 in /hack/api-docs by @​dependabot[bot] in #​6184

New Contributors

• @​MindTooth made their first contribution in #​6136
• @​ldesauw made their first contribution in #​6101
• @​pr0ton11 made their first contribution in #​6031
• @​zoomoid made their first contribution in #​5707
• @​dangbert made their first contribution in #​6168
• @​LeahArmstrong made their first contribution in #​6167
• @​scraly made their first contribution in #​6172
• @​ManvithaP-hub made their first contribution in #​6171
• @​Atomsoldat made their first contribution in #​6177
• @​mohamed-rekiba made their first contribution in #​5850
• @​sfotony made their first contribution in #​5397
• @​maks3201 made their first contribution in #​6145
• @​iamnoah made their first contribution in #​6202
• @​RicoGunawan12 made their first contribution in #​6160

Full Changelog: external-secrets/external-secrets@v2.2.0...v2.3.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Terraform Plan (03-services)

→ Resource Changes: 0 to create, 3 to update, 0 to re-create, 0 to delete, 0 ephemeral.

♻️ Update

helm_release.argocd

! id                         = "argocd" -> (known after apply)
! metadata                   = {
!     app_version    = "v3.3.6" -> (known after apply)
!     chart          = "argo-cd" -> (known after apply)
!     first_deployed = 1770562152 -> (known after apply)
!     last_deployed  = 1775345187 -> (known after apply)
!     name           = "argocd" -> (known after apply)
!     namespace      = "argocd" -> (known after apply)
!     notes          = <<-EOT
          In order to access the server UI you have the following options:
          
          1. kubectl port-forward service/argocd-server -n argocd 8080:443
          
              and then open the browser on http://localhost:8080 and accept the certificate
          
          2. enable ingress in the values file `server.ingress.enabled` and either
                - Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
                - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
          
          
          After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
          
          kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
          
          (You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
      EOT -> (known after apply)
!     revision       = 6 -> (known after apply)
!     values         = jsonencode(
          {
            - applicationSet = {
                - enabled = true
              }
            - configs        = {
                - cm     = {
                    - "oidc.config" = <<-EOT
                          "clientID": "argocd"
                          "clientSecret": "$oidc.authentik.clientSecret"
                          "issuer": "https://auth.lippok.dev/application/o/argocd/"
                          "name": "Authentik"
                          "requestedScopes":
                          - "openid"
                          - "profile"
                          - "email"
                          - "groups"
                      EOT
                    - url           = "https://argocd.lippok.dev"
                  }
                - params = {
                    - "server.insecure" = "true"
                  }
                - rbac   = {
                    - "policy.csv"     = "g, authentik Admins, role:admin"
                    - "policy.default" = "role:readonly"
                    - scopes           = "[groups]"
                  }
              }
            - global         = {
                - logging = {
                    - level = "warn"
                  }
              }
            - notifications  = {
                - enabled       = true
                - notifiers     = {
                    - "service.webhook.discord" = <<-EOT
                          url: $discord-webhook
                      EOT
                    - "service.webhook.github"  = <<-EOT
                          url: https://api.github.com
                          headers:
                            - name: Authorization
                              value: "token $github-token"
                            - name: Content-Type
                              value: application/json
                      EOT
                  }
                - secret        = {
                    - create = false
                  }
                - subscriptions = [
                    - {
                        - recipients = [
                            - "github",
                          ]
                        - triggers   = [
                            - "on-sync-running",
                            - "on-sync-succeeded",
                            - "on-sync-failed",
                            - "on-health-degraded",
                          ]
                      },
                    - {
                        - recipients = [
                            - "discord",
                          ]
                        - triggers   = [
                            - "on-app-failed",
                          ]
                      },
                  ]
                - templates     = {
                    - "template.discord-alert"        = <<-EOT
                          webhook:
                            discord:
                              method: POST
                              path: /
                              body: |
                                {
                                  "content": "**ArgoCD** `{{.app.metadata.name}}` — {{if eq .app.status.operationState.phase "Error"}}Sync error: {{.app.status.operationState.message}}{{else if eq .app.status.operationState.phase "Failed"}}Sync failed: {{.app.status.operationState.message}}{{else}}Health degraded ({{.app.status.health.status}}){{end}}\n<https://argocd.lippok.dev/applications/{{.app.metadata.name}}>"
                                }
                      EOT
                    - "template.github-commit-status" = <<-EOT
                          webhook:
                            github:
                              method: POST
                              path: /repos/{{call .repo.FullNameByRepoURL .app.spec.source.repoURL}}/statuses/{{.app.status.operationState.operation.sync.revision}}
                              body: |
                                {
                                  "state": "{{if eq .app.status.operationState.phase "Running"}}pending{{else if and (eq .app.status.operationState.phase "Succeeded") (eq .app.status.health.status "Healthy")}}success{{else}}failure{{end}}",
                                  "description": "{{if eq .app.status.operationState.phase "Running"}}Syncing…{{else if and (eq .app.status.operationState.phase "Succeeded") (eq .app.status.health.status "Healthy")}}Healthy{{else if eq .app.status.health.status "Degraded"}}Health degraded{{else}}Sync failed{{end}}",
                                  "target_url": "https://argocd.lippok.dev/applications/{{.app.metadata.name}}",
                                  "context": "argocd/{{.app.metadata.name}}"
                                }
                      EOT
                  }
                - triggers      = {
                    - "trigger.on-app-failed"      = <<-EOT
                          - when: app.status.operationState.phase in ['Error', 'Failed'] || app.status.health.status == 'Degraded'
                            send: [discord-alert]
                      EOT
                    - "trigger.on-health-degraded" = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.health.status == 'Degraded'
                            send: [github-commit-status]
                      EOT
                    - "trigger.on-sync-failed"     = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.operationState.phase in ['Error', 'Failed']
                            send: [github-commit-status]
                      EOT
                    - "trigger.on-sync-running"    = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.operationState != nil && app.status.operationState.phase in ['Running']
                            send: [github-commit-status]
                      EOT
                    - "trigger.on-sync-succeeded"  = <<-EOT
                          - when: app.spec.source.repoURL contains 'github.com' && app.status.operationState.phase in ['Succeeded'] && app.status.health.status == 'Healthy'
                            send: [github-commit-status]
                      EOT
                  }
              }
            - redis          = {
                - enabled      = true
                - volumeMounts = [
                    - {
                        - mountPath = "/data"
                        - name      = "redis-data"
                      },
                  ]
                - volumes      = [
                    - {
                        - emptyDir = {
                            - medium    = "Memory"
                            - sizeLimit = "1Gi"
                          }
                        - name     = "redis-data"
                      },
                  ]
              }
            - redis-ha       = {
                - enabled = false
              }
            - repoServer     = {
                - env            = [
                    - {
                        - name  = "TMPDIR"
                        - value = "/nfs-tmp"
                      },
                  ]
                - initContainers = [
                    - {
                        - command         = [
                            - "sh",
                            - "-c",
                            - "chown 999:999 /nfs-tmp && chmod 777 /nfs-tmp",
                          ]
                        - image           = "busybox"
                        - name            = "fix-nfs-permissions"
                        - securityContext = {
                            - runAsUser = 0
                          }
                        - volumeMounts    = [
                            - {
                                - mountPath = "/nfs-tmp"
                                - name      = "nfs-tmp"
                              },
                          ]
                      },
                  ]
                - volumeMounts   = [
                    - {
                        - mountPath = "/nfs-tmp"
                        - name      = "nfs-tmp"
                      },
                  ]
                - volumes        = [
                    - {
                        - name                  = "nfs-tmp"
                        - persistentVolumeClaim = {
                            - claimName = "argocd-repo-server-nfs"
                          }
                      },
                  ]
              }
            - server         = {
                - extraArgs = [
                    - "--insecure",
                  ]
              }
          }
      ) -> (known after apply)
!     version        = "9.4.17" -> (known after apply)
  } -> (known after apply)
  name                       = "argocd"
! version                    = "9.4.17" -> "9.5.0"
  # (28 unchanged attributes hidden)

helm_release.cert_manager

! id                         = "cert-manager" -> (known after apply)
! metadata                   = {
!     app_version    = "v1.20.1" -> (known after apply)
!     chart          = "cert-manager" -> (known after apply)
!     first_deployed = 1770562151 -> (known after apply)
!     last_deployed  = 1775345185 -> (known after apply)
!     name           = "cert-manager" -> (known after apply)
!     namespace      = "cert-manager" -> (known after apply)
!     notes          = <<-EOT
          cert-manager v1.20.1 has been deployed successfully!
          
          In order to begin issuing certificates, you will need to set up a ClusterIssuer
          or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
          
          More information on the different types of issuers and how to configure them
          can be found in our documentation:
          
          https://cert-manager.io/docs/configuration/
          
          For information on how to configure cert-manager to automatically provision
          Certificates for Ingress resources, take a look at the `ingress-shim`
          documentation:
          
          https://cert-manager.io/docs/usage/ingress/
          
          For information on how to configure cert-manager to automatically provision
          Certificates for Gateway API resources, take a look at the `gateway resource`
          documentation:
          
          https://cert-manager.io/docs/usage/gateway/
      EOT -> (known after apply)
!     revision       = 2 -> (known after apply)
!     values         = jsonencode(
          {
            - config = {
                - apiVersion       = "controller.config.cert-manager.io/v1alpha1"
                - enableGatewayAPI = true
                - kind             = "ControllerConfiguration"
              }
            - crds   = {
                - enabled = true
              }
          }
      ) -> (known after apply)
!     version        = "v1.20.1" -> (known after apply)
  } -> (known after apply)
  name                       = "cert-manager"
! version                    = "v1.20.1" -> "v1.20.2"
  # (28 unchanged attributes hidden)

helm_release.external_secrets

! id                         = "external-secrets" -> (known after apply)
! metadata                   = {
!     app_version    = "v2.2.0" -> (known after apply)
!     chart          = "external-secrets" -> (known after apply)
!     first_deployed = 1772488004 -> (known after apply)
!     last_deployed  = 1775345185 -> (known after apply)
!     name           = "external-secrets" -> (known after apply)
!     namespace      = "external-secrets" -> (known after apply)
!     notes          = <<-EOT
          external-secrets has been deployed successfully in namespace external-secrets!
          
          In order to begin using ExternalSecrets, you will need to set up a SecretStore
          or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
          
          More information on the different types of SecretStores and how to configure them
          can be found in our Github: https://github.com/external-secrets/external-secrets
      EOT -> (known after apply)
!     revision       = 3 -> (known after apply)
!     values         = jsonencode(
          {
            - installCRDs = true
          }
      ) -> (known after apply)
!     version        = "2.2.0" -> (known after apply)
  } -> (known after apply)
  name                       = "external-secrets"
! version                    = "2.2.0" -> "2.3.0"
  # (28 unchanged attributes hidden)

---

Triggered by @renovate[bot], Commit: 4ad6cc620e910b7e25ce3cfbb3bd92a607d9eeca