chore(deps): update helm release connect to v2.3.0

[renovate]

This PR contains the following updates:

Package	Update	Change
connect (source)	minor	2.2.1 → 2.3.0

---

Release Notes

1Password/connect-helm-charts (connect)

v2.3.0

Compare Source

A Helm chart for deploying 1Password Connect and the 1Password Connect Kubernetes Operator

⚠️ Credentials (2.3.0):

If you were using the double base64–encoding workaround for the credentials secret (1password-credentials.json), that no longer works as this issue has been resolved. Credentials are now mounted as a file and work with the standard single base64 encoding that Kubernetes applies to Secret data. If you were double encoding the credentials you will need to update the secret.

Change for reference:

• Fix credential secret when set from values with correct encoding and mount credentials as a file with OP_SESSION pointing to the path. (#​196)

Features

• Connect Helm chart supports operator.allowEmptyValues value to configure the Operator's --allow-empty-values flag. Empty secret field values are skipped by default. (#​264)
• Connect Helm chart supports configurable securityContext and is Pod Security Standards (Restricted) compliant, so it can run in restricted namespaces without Pod Security Admission warnings. (#​192, #​210, #​223)
• README values tables are now auto-generated from values.yaml for consistency. (#​268)
• Connect Helm chart supports operator trust for self-signed or internal CA certificates via operator.tls.trust.secret. (#​171, #​200)

Fixes

• Connect Helm chart now uses operator.serviceAccountToken.key for the operator’s service account token instead of operator.token.key. (#​266)
• Connect Helm chart supports a custom ServiceAccount for the Connect deployment, allowing a dedicated or pre-existing service account to be specified. (#​249)
• Fix expired dev Slack link in README. {#​265}
• Hide the credentials warning when connect.credentials_base64 is set, since credentials are already provided. (#​84)
• Fix credential secret when set from values with correct encoding and mount credentials as a file with OP_SESSION pointing to the path. (#​196)
• 1Password Operator image is updated to v1.11.0 to brings fixes for the operator.

New Contributors

• @​grhawk made their first contribution in #​196
• @​rishiy15 made their first contribution in #​265
• @​at-platform24 made their first contribution in #​248
• @​3deep5me made their first contribution in #​223
• @​applejag made their first contribution in #​210
• @​colstrom made their first contribution in #​184
• @​jeremyj made their first contribution in #​175
• @​craigmiller160 made their first contribution in #​200

Full Changelog: 1Password/connect-helm-charts@connect-2.2.1...connect-2.3.0

---

Configuration

📅 Schedule: Branch creation - "before 9am on tuesday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/infrastructure/secrets/onepassword/app Kustomization: flux-system/cluster-apps-onepassword HelmRelease: secrets/onepassword

+++ kubernetes/apps/infrastructure/secrets/onepassword/app Kustomization: flux-system/cluster-apps-onepassword HelmRelease: secrets/onepassword

@@ -13,13 +13,13 @@

       chart: connect
       interval: 1m
       sourceRef:
         kind: HelmRepository
         name: 1password
         namespace: flux-system
-      version: 2.2.1
+      version: 2.3.0
   install:
     crds: CreateReplace
   interval: 5m
   upgrade:
     crds: CreateReplace
   values:

[github-actions]

--- HelmRelease: secrets/onepassword Deployment: secrets/onepassword-connect

+++ HelmRelease: secrets/onepassword Deployment: secrets/onepassword-connect

@@ -18,38 +18,47 @@

     metadata:
       labels:
         app: onepassword-connect
         version: 1.8.1
         app.kubernetes.io/component: connect
     spec:
+      securityContext:
+        fsGroup: 999
+        runAsGroup: 999
+        runAsNonRoot: true
+        runAsUser: 999
+        seccompProfile:
+          type: RuntimeDefault
       volumes:
       - name: shared-data
         emptyDir: {}
       - name: credentials
         secret:
           secretName: onepassword-api
+          items:
+          - key: session
+            path: 1password-credentials.json
       tolerations: []
       containers:
       - name: connect-api
         image: 1password/connect-api:1.8.1
         imagePullPolicy: IfNotPresent
         securityContext:
-          runAsUser: 999
-          runAsGroup: 999
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         resources:
           limits:
             memory: 128Mi
           requests:
             cpu: 0.2
         env:
         - name: OP_SESSION
-          valueFrom:
-            secretKeyRef:
-              name: onepassword-api
-              key: session
+          value: /home/opuser/.op/1password-credentials.json
         - name: OP_BUS_PORT
           value: '11220'
         - name: OP_BUS_PEERS
           value: localhost:11221
         - name: OP_HTTP_PORT
           value: '8080'
@@ -69,28 +78,30 @@

           failureThreshold: 3
           periodSeconds: 30
           initialDelaySeconds: 15
         volumeMounts:
         - mountPath: /home/opuser/.op/data
           name: shared-data
+        - name: credentials
+          mountPath: /home/opuser/.op/1password-credentials.json
+          subPath: 1password-credentials.json
       - name: connect-sync
         image: 1password/connect-sync:1.8.1
         imagePullPolicy: IfNotPresent
         securityContext:
-          runAsUser: 999
-          runAsGroup: 999
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
         resources: {}
         env:
         - name: OP_HTTP_PORT
           value: '8081'
         - name: OP_SESSION
-          valueFrom:
-            secretKeyRef:
-              name: onepassword-api
-              key: session
+          value: /home/opuser/.op/1password-credentials.json
         - name: OP_BUS_PORT
           value: '11221'
         - name: OP_BUS_PEERS
           value: localhost:11220
         - name: OP_LOG_LEVEL
           value: info
@@ -107,7 +118,10 @@

           failureThreshold: 3
           periodSeconds: 30
           initialDelaySeconds: 15
         volumeMounts:
         - mountPath: /home/opuser/.op/data
           name: shared-data
+        - name: credentials
+          mountPath: /home/opuser/.op/1password-credentials.json
+          subPath: 1password-credentials.json
 
--- HelmRelease: secrets/onepassword Deployment: secrets/onepassword-connect-operator

+++ HelmRelease: secrets/onepassword Deployment: secrets/onepassword-connect-operator

@@ -17,25 +17,32 @@

   template:
     metadata:
       labels:
         name: onepassword-connect
         app.kubernetes.io/component: operator
     spec:
+      securityContext:
+        fsGroup: 65532
+        runAsGroup: 65532
+        runAsNonRoot: true
+        runAsUser: 65532
+        seccompProfile:
+          type: RuntimeDefault
       tolerations: []
       serviceAccountName: onepassword-connect-operator
+      volumes: null
       containers:
       - name: onepassword-connect
-        image: 1password/onepassword-operator:1.10.1
+        image: 1password/onepassword-operator:1.11.0
         imagePullPolicy: IfNotPresent
         securityContext:
-          runAsUser: 65532
-          runAsGroup: 65532
           allowPrivilegeEscalation: false
           capabilities:
             drop:
-            - all
+            - ALL
+          readOnlyRootFilesystem: true
         command:
         - /manager
         args:
         - --zap-log-level=info
         env:
         - name: WATCH_NAMESPACE
@@ -55,7 +62,8 @@

         - name: OP_CONNECT_TOKEN
           valueFrom:
             secretKeyRef:
               name: onepassword-api
               key: token
         resources: {}
+        volumeMounts: null