chore(deps): update viaductoss/ksops docker tag to v4.5.1

[renovate]

This PR contains the following updates:

Package	Update	Change
viaductoss/ksops	minor	v4.2.4 → v4.5.1

---

Release Notes

viaduct-ai/kustomize-sops (viaductoss/ksops)

v4.5.1

Compare Source

Upgrade Guide: v4.5.0 to v4.5.1

What changed

In v4.5.0, ksops install always copied both ksops and kustomize from hardcoded paths. This release makes two improvements based on community feedback (#​327):

1. ksops install now uses os.Executable() to resolve its own binary path instead of hardcoding /usr/local/bin/ksops. This makes the install command work regardless of where the binary is located.

2. Kustomize copying is now opt-in via --with-kustomize. Since ArgoCD already ships with kustomize, ksops install now only copies the ksops binary by default. Pass --with-kustomize to also copy kustomize.

How to upgrade

Add --with-kustomize to your ksops install command if you want to continue overriding ArgoCD's built-in kustomize (the previous default behavior).

Before:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.0
    command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

After:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.1
    command: ["/usr/local/bin/ksops", "install", "--with-kustomize", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

If you don't need to override ArgoCD's kustomize, you can drop --with-kustomize and remove the kustomize volume mount:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.1
    command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

Changelog

• fd75a70 fix: use os.Executable() for install and make kustomize opt-in (#​330)
• d9442dc v4.5.1

v4.5.0

Compare Source

Upgrade Guide: ArgoCD Init Container

What changed

Starting in v4.4.0, the ksops Docker image uses a distroless base image, which does not include /bin/sh, mv, or other shell utilities. This broke the documented ArgoCD init container pattern that relied on shell commands to copy binaries into a shared volume.

This release adds a built-in ksops install subcommand that copies the ksops and kustomize binaries to a target directory — no shell required.

How to upgrade

Replace the command and args in your init container. The volume mounts stay the same.

Before:

initContainers:

- name: install-ksops
  image: viaductoss/ksops:v4.4.0
  command: ["/bin/sh", "-c"]
  args:
  - echo "Installing KSOPS...";
    mv ksops /custom-tools/;
    mv kustomize /custom-tools/;
    echo "Done.";
    volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

After:

initContainers:

- name: install-ksops
  image: viaductoss/ksops:vX.Y.Z
  command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
  volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

That's it. No other changes to your volumes, volume mounts, or container definitions are needed.

Affected configurations

This applies to all three documented ArgoCD integration methods:

• Strategic merge patch (argo-cd-repo-server-ksops-patch.yaml)
• ArgoCD CRD (OKD4/OCP4 kind: ArgoCD spec)
• Argo CD Helm chart (repoServer.initContainers values)

Workarounds no longer needed

If you were using any of these workarounds, you can remove them:

• Using alpine as the init container image to curl and extract the release tarball
• Building a custom container image that bundles ksops into the ArgoCD repo server
• Pinning to a version before v4.4.0

Changelog

• 92bc163 chore(deps): bump actions/checkout from 5 to 6 (#​307)
• 42d7795 chore(deps): bump actions/setup-go from 5 to 6 (#​302)
• cfb835c chore(deps): bump docker/login-action from 3 to 4 (#​315)
• a25bfcd chore(deps): bump docker/setup-buildx-action from 3 to 4 (#​316)
• 2aee20e chore(deps): bump docker/setup-qemu-action from 3 to 4 (#​317)
• 061495f chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#​309)
• 845389a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#​325)
• d70b62e chore(deps): bump github.com/getsops/sops/v3 from 3.11.0 to 3.12.2 (#​319)
• 98fe884 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.1 to 4.1.4 (#​323)
• 80616de chore(deps): bump github/codeql-action from 3 to 4 (#​305)
• eb80fe6 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.43.0 (#​326)
• dd0987e chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 (#​306)
• 31dfb4e chore(deps): bump google.golang.org/grpc from 1.75.1 to 1.79.3 (#​318)
• d4c8c13 chore(deps): bump goreleaser/goreleaser-action from 6 to 7 (#​312)
• dfeab3f chore: v4.5.0 (#​329)
• 8f3b8d1 feat: add ksops install subcommand for distroless compatibility (#​327)
• 50ad78f feat: concurrent secret decryption (#​328)
• 4345f5f fix: pin to 1.25.0
• 8624cb3 update(sops): 3.10.2 -> 3.11.0 (#​304)

v4.4.0

Compare Source

Changelog

• 970918f Bump sigs.k8s.io/kustomize/api from v0.16.0 to v0.19.0 (#​275)
• 97f66d0 Optimize Docker image (#​271)
• 18bcac8 Optimize and structure Makefile (#​274)
• d79a6f0 chore(deps): bump actions/checkout from 4 to 5 (#​293)
• bc46d4d chore(deps): bump github.com/cloudflare/circl from 1.4.0 to 1.6.1 (#​285)
• 1ced974 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#​280)
• 487dded chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​282)
• 404363d chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#​281)
• fc21455 chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 (#​284)
• 167e8ab chore(deps): bump golang.org/x/oauth2 from 0.24.0 to 0.27.0 (#​287)
• 86c8643 chore(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#​286)
• 844d8c2 chore(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 (#​288)
• 6f0e2a6 chore: update golang version to patch CVEs (#​296)
• ec19be6 fix(build): resolve kustomize installation failures during cross-compilation (#​299)
• 5890575 fix(cd): try use full path for checking kustomize installation
• 96fb5ef fix(ci): ensure go bin is part of PATH, add logging for debugging release CD
• c58ac0b update(sops): 3.9.2 -> 3.10.2 (#​297)
• 01bebbd v4.4.0

v4.3.3

Compare Source

Changelog

• 5e75cd4 Align the Go version and update Go to 1.23 (#​272)
• be78f8f chore(deps): bump filippo.io/age from 1.2.0 to 1.2.1 (#​266)
• b04a55a chore(deps): bump github.com/getsops/sops/v3 from 3.9.1 to 3.9.2 (#​265)
• ba228f5 chore(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 (#​267)
• 2b687a1 chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#​259)
• 294de9d chore: add newlines to prints (#​273)
• a7a691f fix(ci): update go to 1.22, migrate to staticcheck (#​262)
• 4a96154 security(deps): upgrade golang.org/x/net (#​268)
• bc3d055 v4.3.3

v4.3.2

Compare Source

Changelog

• 2b3838b Allow passing a custom dir to install ksops to (#​240)
• b8acbfb Update aws sdk version (#​256)
• c6d9ce8 adding how-to for ArgoCD/GitOps operator in OKD4/OCP4 (#​229)
• 010d4af chore(ci): Add DependaBot configuration for GitHub actions (#​233)
• 495f46e chore(ci): Update GitHub action versions (#​232)
• a4ba04c chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#​254)
• c055b7c chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.1 to 3.0.3 (#​234)
• 455af17 chore(deps): bump github.com/hashicorp/go-retryablehttp (#​257)
• a5e3613 chore(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 (#​239)
• c886523 chore(deps): bump goreleaser/goreleaser-action from 5 to 6 (#​252)
• a3341e7 chore(deps): upgrade to sops 3.9.0 for security fixes (#​258)
• 56094c0 chore: add version to goreleaser.yml
• 7f6baaa fix(cd): give goreleaser permission to publish
• d069294 fix(cd): update go version in release workflow
• d8df78a fix: misspelling (#​251)
• b74fe65 update doc for argo-helm/argo-cd chart (#​241)
• c2c19ce v4.3.2

v4.3.1

Compare Source

Changelog

• a018a93 Fixed issue where invalid yaml was generated when using files together with secretFrom (#​221)
• bc619b6 chore(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#​223)
• 49edbe5 chore(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#​222)
• 20e000f chore(deps): upgrade to kustomize v5.3.0 (#​225)
• f09c3b7 fix: typo in comment (#​224)
• 5ced30d v4.3.1

v4.3.0

Compare Source

Changelog

• d28c101 Bump sigs.k8s.io/yaml from 1.3.0 to 1.4.0 (#​209)
• 2f44068 chore(deps): bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 (#​220)
• 9895763 chore: trigger ci on pull_request event
• 980b683 feat: added binaryFiles option (#​211)
• 042c062 fix #​213: update golang version to 1.21 (#​216)
• 521aa6f v4.3.0

v4.2.5

Compare Source

Changelog

• b38f451 chore(deps): upgrade to kustomize v5.2.1 (#​208)
• 1209d59 v4.2.5

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.