feat(container): update image viaductoss/ksops to v4.5.1

[trap-renovate]

This PR contains the following updates:

Package	Update	Change
viaductoss/ksops	minor	v4.3.3 → v4.5.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

viaduct-ai/kustomize-sops (viaductoss/ksops)

v4.5.1

Compare Source

Upgrade Guide: v4.5.0 to v4.5.1

What changed

In v4.5.0, ksops install always copied both ksops and kustomize from hardcoded paths. This release makes two improvements based on community feedback (#​327):

1. ksops install now uses os.Executable() to resolve its own binary path instead of hardcoding /usr/local/bin/ksops. This makes the install command work regardless of where the binary is located.

2. Kustomize copying is now opt-in via --with-kustomize. Since ArgoCD already ships with kustomize, ksops install now only copies the ksops binary by default. Pass --with-kustomize to also copy kustomize.

How to upgrade

Add --with-kustomize to your ksops install command if you want to continue overriding ArgoCD's built-in kustomize (the previous default behavior).

Before:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.0
    command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

After:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.1
    command: ["/usr/local/bin/ksops", "install", "--with-kustomize", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

If you don't need to override ArgoCD's kustomize, you can drop --with-kustomize and remove the kustomize volume mount:

initContainers:
  - name: install-ksops
    image: viaductoss/ksops:v4.5.1
    command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools

Changelog

• fd75a70 fix: use os.Executable() for install and make kustomize opt-in (#​330)
• d9442dc v4.5.1

v4.5.0

Compare Source

Upgrade Guide: ArgoCD Init Container

What changed

Starting in v4.4.0, the ksops Docker image uses a distroless base image, which does not include /bin/sh, mv, or other shell utilities. This broke the documented ArgoCD init container pattern that relied on shell commands to copy binaries into a shared volume.

This release adds a built-in ksops install subcommand that copies the ksops and kustomize binaries to a target directory — no shell required.

How to upgrade

Replace the command and args in your init container. The volume mounts stay the same.

Before:

initContainers:

- name: install-ksops
  image: viaductoss/ksops:v4.4.0
  command: ["/bin/sh", "-c"]
  args:
  - echo "Installing KSOPS...";
    mv ksops /custom-tools/;
    mv kustomize /custom-tools/;
    echo "Done.";
    volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

After:

initContainers:

- name: install-ksops
  image: viaductoss/ksops:vX.Y.Z
  command: ["/usr/local/bin/ksops", "install", "/custom-tools"]
  volumeMounts:
  - mountPath: /custom-tools
    name: custom-tools

That's it. No other changes to your volumes, volume mounts, or container definitions are needed.

Affected configurations

This applies to all three documented ArgoCD integration methods:

• Strategic merge patch (argo-cd-repo-server-ksops-patch.yaml)
• ArgoCD CRD (OKD4/OCP4 kind: ArgoCD spec)
• Argo CD Helm chart (repoServer.initContainers values)

Workarounds no longer needed

If you were using any of these workarounds, you can remove them:

• Using alpine as the init container image to curl and extract the release tarball
• Building a custom container image that bundles ksops into the ArgoCD repo server
• Pinning to a version before v4.4.0

Changelog

• 92bc163 chore(deps): bump actions/checkout from 5 to 6 (#​307)
• 42d7795 chore(deps): bump actions/setup-go from 5 to 6 (#​302)
• cfb835c chore(deps): bump docker/login-action from 3 to 4 (#​315)
• a25bfcd chore(deps): bump docker/setup-buildx-action from 3 to 4 (#​316)
• 2aee20e chore(deps): bump docker/setup-qemu-action from 3 to 4 (#​317)
• 061495f chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#​309)
• 845389a chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#​325)
• d70b62e chore(deps): bump github.com/getsops/sops/v3 from 3.11.0 to 3.12.2 (#​319)
• 98fe884 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.1 to 4.1.4 (#​323)
• 80616de chore(deps): bump github/codeql-action from 3 to 4 (#​305)
• eb80fe6 chore(deps): bump go.opentelemetry.io/otel/sdk from 1.37.0 to 1.43.0 (#​326)
• dd0987e chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.45.0 (#​306)
• 31dfb4e chore(deps): bump google.golang.org/grpc from 1.75.1 to 1.79.3 (#​318)
• d4c8c13 chore(deps): bump goreleaser/goreleaser-action from 6 to 7 (#​312)
• dfeab3f chore: v4.5.0 (#​329)
• 8f3b8d1 feat: add ksops install subcommand for distroless compatibility (#​327)
• 50ad78f feat: concurrent secret decryption (#​328)
• 4345f5f fix: pin to 1.25.0
• 8624cb3 update(sops): 3.10.2 -> 3.11.0 (#​304)

v4.4.0

Compare Source

Changelog

• 970918f Bump sigs.k8s.io/kustomize/api from v0.16.0 to v0.19.0 (#​275)
• 97f66d0 Optimize Docker image (#​271)
• 18bcac8 Optimize and structure Makefile (#​274)
• d79a6f0 chore(deps): bump actions/checkout from 4 to 5 (#​293)
• bc46d4d chore(deps): bump github.com/cloudflare/circl from 1.4.0 to 1.6.1 (#​285)
• 1ced974 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#​280)
• 487dded chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​282)
• 404363d chore(deps): bump golang.org/x/net from 0.33.0 to 0.36.0 (#​281)
• fc21455 chore(deps): bump golang.org/x/net from 0.36.0 to 0.38.0 (#​284)
• 167e8ab chore(deps): bump golang.org/x/oauth2 from 0.24.0 to 0.27.0 (#​287)
• 86c8643 chore(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 (#​286)
• 844d8c2 chore(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0 (#​288)
• 6f0e2a6 chore: update golang version to patch CVEs (#​296)
• ec19be6 fix(build): resolve kustomize installation failures during cross-compilation (#​299)
• 5890575 fix(cd): try use full path for checking kustomize installation
• 96fb5ef fix(ci): ensure go bin is part of PATH, add logging for debugging release CD
• c58ac0b update(sops): 3.9.2 -> 3.10.2 (#​297)
• 01bebbd v4.4.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[github-actions]

Diff

@@ spec.template.spec.initContainers.install-ksops.image @@
# apps/v1/Deployment/argocd/argocd-repo-server
! ± value change
- viaductoss/ksops:v4.3.3
+ viaductoss/ksops:v4.5.1

@@ spec.template.spec.initContainers.install-ksops.image @@
# apps/v1/Deployment/argocd/argocd-repo-server
! ± value change
- viaductoss/ksops:v4.3.3
+ viaductoss/ksops:v4.5.1

[Kentaro1043]

この問題に当たったので、解決待ち
viaduct-ai/kustomize-sops#300