fluxcd
diff --git a/.github/workflows/cifuzz.yaml b/.github/workflows/cifuzz.yaml
@@ -1,14 +1,14 @@
-name: CIFuzz
+name: fuzz
 on:
   pull_request:
     branches:
       - main
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  
+
 jobs:
-  Fuzzing:
+  smoketest:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v1
         with:
@@ -23,22 +23,22 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@v1
       - name: Restore Go cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
       - name: Cache Docker layers
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         id: cache
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-ghcache-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-ghcache-
       - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: 1.17.x
       - name: Setup Kubernetes

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -14,18 +14,18 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v1
         with:
           platforms: all
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
         with:
           buildkitd-flags: "--debug"
       - name: Build multi-arch container image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: false
           builder: ${{ steps.buildx.outputs.name }}

diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,7 +22,7 @@ jobs:
   build-push:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Setup Kustomize
         uses: fluxcd/pkg/actions/kustomize@main
       - name: Prepare
@@ -35,32 +35,32 @@ jobs:
           echo ::set-output name=BUILD_DATE::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
           echo ::set-output name=VERSION::${VERSION}
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       - name: Setup Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: fluxcdbot
           password: ${{ secrets.GHCR_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
       - name: Generate images meta
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: |
             fluxcd/${{ env.CONTROLLER }}
             ghcr.io/fluxcd/${{ env.CONTROLLER }}
           tags: |
             type=raw,value=${{ steps.prep.outputs.VERSION }}
       - name: Publish images
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
@@ -92,7 +92,7 @@ jobs:
       - uses: anchore/sbom-action/download-syft@v0
       - name: Create release and SBOM
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v3
         with:
           version: latest
           args: release --release-notes=config/release/notes.md --rm-dist --skip-validate

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -1,4 +1,4 @@
-name: Scan
+name: scan
 
 on:
   push:
@@ -17,7 +17,7 @@ jobs:
     name: FOSSA
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Run FOSSA scan and upload build data
         uses: fossa-contrib/fossa-action@v1
         with:
@@ -30,12 +30,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         with:
           languages: go
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,50 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.26.0
+
+**Release date:** 2022-06-01
+
+This prerelease comes with support for configuring the authentication to
+AWS KMS, Azure Key Vault and GCP KMS on multi-tenant clusters.
+A tenant can create a secret in their namespace with their KMS credentials
+and supply it to Flux using `Kustomization.spec.decryption.secretRef`.
+For more details on how to configure SOPS decryption with KMS, see the
+[docs](https://github.com/fluxcd/kustomize-controller/blob/v0.26.0/docs/spec/v1beta2/kustomization.md#secrets-decryption).
+
+Starting with this version, the controller conforms to the Kubernetes
+[API Priority and Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/).
+The controller detects if the server-side throttling is enabled and uses the
+advertised rate limits. When server-side throttling is enabled, the controller
+ignores the `--kube-api-qps` and `--kube-api-burst` flags.
+
+In addition, Kustomize has been updated
+to [`v4.5.5`](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize%2Fv4.5.5) 
+which comes with significant performance improvements for OpenAPI parsing.
+
+Improvements:
+- Support AWS KMS credentials using decryption secretRef
+  [#641](https://github.com/fluxcd/kustomize-controller/pull/641)
+  [#667](https://github.com/fluxcd/kustomize-controller/pull/667)
+- Support GCP KMS credentials using decryption secretRef
+  [#635](https://github.com/fluxcd/kustomize-controller/pull/635)
+- Update SOPS to v3.7.3
+  [#647](https://github.com/fluxcd/kustomize-controller/pull/647)
+- Update controller to kustomize v4.5.5
+  [#660](https://github.com/fluxcd/kustomize-controller/pull/660)
+- Update dependencies
+  [#650](https://github.com/fluxcd/kustomize-controller/pull/650)
+- Update Alpine to v3.16
+  [#661](https://github.com/fluxcd/kustomize-controller/pull/661)
+- Update go-yaml to v3.0.0
+  [#665](https://github.com/fluxcd/kustomize-controller/pull/665)
+- Update source-controller/api to v0.25.0
+  [#671](https://github.com/fluxcd/kustomize-controller/pull/671)
+
+Fixes:
+- Set digests in image override
+  [#655](https://github.com/fluxcd/kustomize-controller/pull/655)
+
 ## 0.25.0
 
 **Release date:** 2022-05-03

diff --git a/Dockerfile b/Dockerfile
@@ -31,7 +31,7 @@ COPY internal/ internal/
 ENV CGO_ENABLED=0
 RUN xx-go build -a -o kustomize-controller main.go
 
-FROM alpine:3.15
+FROM alpine:3.16
 
 RUN apk add --no-cache ca-certificates tini git openssh-client gnupg
 

diff --git a/api/go.mod b/api/go.mod
@@ -3,13 +3,16 @@ module github.com/fluxcd/kustomize-controller/api
 go 1.17
 
 require (
-	github.com/fluxcd/pkg/apis/kustomize v0.3.3
-	github.com/fluxcd/pkg/apis/meta v0.13.0
-	k8s.io/apiextensions-apiserver v0.23.5
-	k8s.io/apimachinery v0.23.5
+	github.com/fluxcd/pkg/apis/kustomize v0.4.1
+	github.com/fluxcd/pkg/apis/meta v0.14.1
+	k8s.io/apiextensions-apiserver v0.24.0
+	k8s.io/apimachinery v0.24.0
 	sigs.k8s.io/controller-runtime v0.11.2
 )
 
+// Fix CVE-2022-28948
+replace gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.0
+
 require (
 	github.com/go-logr/logr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -20,13 +23,12 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/onsi/gomega v1.18.1 // indirect
 	github.com/stretchr/testify v1.7.1 // indirect
-	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
-	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	golang.org/x/text v0.3.7 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.50.0 // indirect
+	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect