From 0f7a1b9889261293346b83bc49418bdecb21f600 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Sat, 7 Feb 2026 07:33:08 +0000
Subject: [PATCH 1/2] external-secrets-operator-2.0: updated

---
 external-secrets-operator-2.0.yaml | 141 +++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 external-secrets-operator-2.0.yaml

diff --git a/external-secrets-operator-2.0.yaml b/external-secrets-operator-2.0.yaml
new file mode 100644
index 000000000000..86db9d58c21b
--- /dev/null
+++ b/external-secrets-operator-2.0.yaml
@@ -0,0 +1,141 @@
+package:
+  name: external-secrets-operator-2.0
+  version: "2.0.0"
+  epoch: 0
+  description: Integrate external secret management systems with Kubernetes
+  copyright:
+    - license: Apache-2.0
+  dependencies:
+    provides:
+      - external-secrets-operator=${{package.full-version}}
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/external-secrets/external-secrets
+      tag: v${{package.version}}
+      expected-commit: 7aa2fd718e3cb5509dce0ade077481b9a76e6d7a
+
+  - uses: go/build
+    with:
+      go-package: go
+      packages: .
+      output: external-secrets
+      tags: all_providers
+
+  - uses: strip
+
+test:
+  environment:
+    contents:
+      packages:
+        - git
+    paths:
+      - path: /home/build
+        type: directory
+        permissions: 0o755
+  pipeline:
+    - uses: test/kwok/cluster
+    - name: Setup and start operator
+      runs: |
+        set -euo pipefail
+
+        # Clone repository to get CRDs matching the built version
+        git clone --depth=1 --branch v${{package.version}} https://github.com/external-secrets/external-secrets
+
+        # Install CRDs
+        kubectl create -f external-secrets/deploy/crds/bundle.yaml
+        kubectl wait --for condition=established --timeout=60s crd/clustersecretstores.external-secrets.io
+        kubectl wait --for condition=established --timeout=60s crd/secretstores.external-secrets.io
+        kubectl wait --for condition=established --timeout=60s crd/externalsecrets.external-secrets.io
+
+        # Start the operator
+        external-secrets > operator.log 2>&1 &
+        OPERATOR_PID=$!
+        sleep 10
+
+        # Check operator is still running
+        if ! kill -0 $OPERATOR_PID 2>/dev/null; then
+          echo "ERROR: Operator failed to start"
+          cat operator.log
+          exit 1
+        fi
+
+        # Verify AWS provider is compiled in by creating a test SecretStore
+        cat <<EOF | kubectl apply -f -
+        apiVersion: external-secrets.io/v1
+        kind: SecretStore
+        metadata:
+          name: aws-test-store
+          namespace: default
+        spec:
+          provider:
+            aws:
+              service: SecretsManager
+              region: us-east-1
+              auth:
+                secretRef:
+                  accessKeyIDSecretRef:
+                    name: dummy
+                    key: dummy
+                  secretAccessKeySecretRef:
+                    name: dummy
+                    key: dummy
+        EOF
+
+        # Check if the store was accepted (provider registered)
+        # If AWS provider isn't compiled, this would fail with "failed to find registered store backend"
+        sleep 2
+        if kubectl -n default get secretstore aws-test-store -o yaml | grep -q "failed to find registered store backend"; then
+          echo "ERROR: AWS provider not compiled in"
+          kubectl -n default get secretstore aws-test-store -o yaml
+          exit 1
+        fi
+
+        echo "AWS provider is available"
+        kubectl -n default delete secretstore aws-test-store
+    - name: Test with fake provider
+      runs: |
+        set -euo pipefail
+
+        # Create a ClusterSecretStore with fake provider
+        # https://github.com/external-secrets/external-secrets/pull/661
+        kubectl apply -f clustersecretstore.yaml
+
+        # Create an ExternalSecret that references the fake store
+        kubectl apply -f externalsecret.yaml
+
+        # Wait for the operator to sync and create the secret
+        if ! kubectl wait --for=condition=Ready externalsecret test-secret -n default --timeout=20s; then
+          echo "ERROR: ExternalSecret did not become Ready within 20 seconds"
+          kubectl get externalsecret test-secret -n default -o yaml
+          exit 1
+        fi
+
+        # Verify the secret was actually created
+        if ! kubectl get secret my-created-secret -n default >/dev/null 2>&1; then
+          echo "ERROR: Secret was not created even though ExternalSecret is Ready"
+          kubectl get externalsecret test-secret -n default -o yaml
+          exit 1
+        fi
+
+        # Verify the secret contains the expected values
+        passwordValue=$(kubectl get secret my-created-secret -n default -o jsonpath='{.data.password}' | base64 -d)
+        usernameValue=$(kubectl get secret my-created-secret -n default -o jsonpath='{.data.username}' | base64 -d)
+
+        if [ "$passwordValue" != "super-secret-value" ]; then
+          echo "ERROR: Password field has unexpected value: $passwordValue"
+          exit 1
+        fi
+
+        if [ "$usernameValue" != "another-value" ]; then
+          echo "ERROR: Username field has unexpected value: $usernameValue"
+          exit 1
+        fi
+
+update:
+  enabled: true
+  github:
+    identifier: external-secrets/external-secrets
+    strip-prefix: v
+    tag-filter: v2.0.

From c5198286543f71d98e62200f2ad07a445a3f3000 Mon Sep 17 00:00:00 2001
From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com>
Date: Sat, 7 Feb 2026 07:33:10 +0000
Subject: [PATCH 2/2] external-secrets-operator-2.0: updated patch directory

---
 .../clustersecretstore.yaml                   | 12 ++++++++++++
 .../externalsecret.yaml                       | 19 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 external-secrets-operator-2.0/clustersecretstore.yaml
 create mode 100644 external-secrets-operator-2.0/externalsecret.yaml

diff --git a/external-secrets-operator-2.0/clustersecretstore.yaml b/external-secrets-operator-2.0/clustersecretstore.yaml
new file mode 100644
index 000000000000..6ba74ce08c93
--- /dev/null
+++ b/external-secrets-operator-2.0/clustersecretstore.yaml
@@ -0,0 +1,12 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: fake-store
+spec:
+  provider:
+    fake:
+      data:
+      - key: "/test/secret"
+        value: "super-secret-value"
+      - key: "/another/secret"
+        value: "another-value"
\ No newline at end of file
diff --git a/external-secrets-operator-2.0/externalsecret.yaml b/external-secrets-operator-2.0/externalsecret.yaml
new file mode 100644
index 000000000000..76f08ea3cd88
--- /dev/null
+++ b/external-secrets-operator-2.0/externalsecret.yaml
@@ -0,0 +1,19 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: test-secret
+  namespace: default
+spec:
+  refreshInterval: 10s
+  secretStoreRef:
+    name: fake-store
+    kind: ClusterSecretStore
+  target:
+    name: my-created-secret
+  data:
+  - secretKey: password
+    remoteRef:
+      key: /test/secret
+  - secretKey: username
+    remoteRef:
+      key: /another/secret
\ No newline at end of file