Comments (9)
spec.template
was implemented and merged. The secrets created by the controller use the labels/annotations from the template field and not from the ExternalSecret.metadata
.
external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go
Lines 177 to 178 in 8c8064e
Thank you for your insights!
from external-secrets.
Are we propagating labels and annotations set on the externalsecret resource ie (
.metadata.labels
and not.spec.template.metadata.labels
)? If yes, wouldn't it be better to only propagate those? Similar to how a Deployment and resulting Pod would only use the template.
I agree, if automatic propagation presents a problem, then we can use the nested fields to selectively propagate labels and annotations. My understanding from a bit of debugging of crossplane/crossplane#2121 (comment) was that setting ownerReferences avoided this, so I would want to check a bit further before changing our current implementation.
from external-secrets.
Hmm.. we may need to test this out, but the created secret will have metadata.ownerReferences
set, this should prevent ArgoCD from desiring to prune the secret resource. If this is not the case then we can disable propagation through another field.
from external-secrets.
Are we propagating labels and annotations set on the externalsecret resource ie (.metadata.labels
and not .spec.template.metadata.labels
)? If yes, wouldn't it be better to only propagate those? Similar to how a Deployment and resulting Pod would only use the template.
from external-secrets.
In the case of ArgoCD, the controller can live in another cluster. That's probably why is not using ownerReferences
, because the "owner" lives outside the cluster and I think it uses kubectl
to manage the resources.
If the ExternalSecret
implementes the spec.template
for secrets, allowing the users to set the labels, what's the utility of propagating the metadata from the ExternalSecret
instance?
@Flydiverny currently both annotations and labels are carried over at
external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go
Lines 112 to 113 in d3fa350
IMHO, Replicate the behaviour of a ReplicaSet with the pod template
is more user friendly, as ExternalSecrets
will behave the same way as other k8s resources and will allow the user to set just the labels they need for their use case. Having automatic (and unavoidable) propagation of metadata may lead to undesired scenarios like the one discussed in this issue and make the controller unusable.
from external-secrets.
@moolen any way to work around this from the operator's end? We have a very similar usecase with pruning based on labels and I'd rather avoid changing every single kind: ExternalSecret
to workaround this if I could avoid it 😄
from external-secrets.
Hey @bcha, there's no controller-level mechanism like a flag to change the behaviour.
Out of curiousity, what's your use-case / context?
from external-secrets.
We're using GitOps & deploy with https://github.com/Shopify/krane
Now the problem is that krane also does pruning that could be controlled with labels, but as the kind: Secret
created by ESO by default get the labels from kind: ExternalSecret
-> They're always up for pruning when we do deployments. It isn't a massive issue as ESO just creates the secrets again, but in practice it results in some "failed" deployments & extra headache.
We could use this spec.target.template.metadata
workaround, but we've got a lot of ExternalSecrets & I was kinda hoping that there was some other way to do it.
from external-secrets.
No, there isn't. If you're running a policy engine like kyverno or OPA/Gatekeeper then you can implement that with a mutating webhook.
from external-secrets.
Related Issues (20)
- Scaleway is not working behind the proxy. HOT 2
- pushSecret giving nvalid: data[tls.crt]: Required value
- Publish helm chart also as an OCI package (e.g. on GHCR registry)
- No error logs or Events when template rendering fails HOT 4
- Unit tests aren't running on PRs HOT 1
- Error: unknown flag: --live-addr HOT 15
- Correct failing crds helm.tests for providers onboardbase and fortanix HOT 1
- HashiCorp Vault Provider - Multiple secrets using `dataFrom` with Vault namespaces
- Support for rollout restart of deployment/daemonset/statefulset when secret changes
- Unable to run ESO with conversion disabled with webhook.create=true and cert-controller.create=true
- External Secrets Operator unable to install on Openshift 4.12.18, InstallPlanFailed, error validating existing CRs against new CRD's schema HOT 1
- Failing helm.test for crds due to missing JWT authentication sample within snapshot folder HOT 1
- "error":"could not get provider client: unable to get credentials: oauth2: cannot fetch token: Post \"https://oauth2.googleapis.com/token\": dial tcp 142.250.186.138:443: i/o timeout" HOT 1
- Webhook Generator JSON Issues
- Update deprecated annotations and fix security hotfixes based Sonarcloud analysis
- Can I select keys from the secret for the template engine from the pushsecret without pushing them to the secret store? HOT 5
- Let PushSecret be configured to push SecretString instead of SecretBinary HOT 5
- ClusterExternalSecret namespaceSelector does not support multiple labels/conditions HOT 4
- ExternalSecret synchronization speed degradation HOT 4
- UpdateFailed: `pemCertificate` function no longer defined
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from external-secrets.