feat: refresh secret on delete when polling is disabled #413
Conversation
mksh
force-pushed
the
feature/refresh-on-delete
branch
4 times, most recently
from
c833f0f to
b1190b6
Compare
Flydiverny
left a comment
Flydiverny
left a comment
There was a problem hiding this comment.
I think this feature makes sense to add. And would kind of align with other behaviours, like pods being recreated when deleted or so.
I'll have to dig thru the code abit more.
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["create", "update"] | ||
| verbs: ["create", "update"{{ with (index .Values.env "POLL_INTERNAL_SECRETS") }}, "list"{{ end}}] |
There was a problem hiding this comment.
Should this be if instead of with ?
mksh
force-pushed
the
feature/refresh-on-delete
branch
from
b1190b6 to
f56933e
Compare
|
This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
|
This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
|
I had just updated my patch with recent master code, and it seems to be working fine for my use-case, and all auto-tests do pass. If we can get this reviewed and merged into 8x series, it would be very appreciated ! |
|
This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
5 participants
Right now the only way to use
kubernetes-external-secretswith some providers in certain circumstances, is to set environment variableDISABLE_POLLING: true, which will lead to no-op on every_poll().For example, using AWS SSM Parameter Store backend provider with several hundred of
ExternalSecretinstances provisioned via that provider leads to rate limit errors within AWS API.See #211 and #156 for more background on this scenario.
In the case if
DISABLE_POLLINGset to true, there is no way to refresh internalSecretinstance after it is created byExternalSecretfor the first time, other than completely removing and then re-creatingExternalSecret.This is not convenient in the case if
ExternalSecretinstance is controlled by Helm/FluxCD, and might lead to deployment inconsistencies.This patch allows for refreshing
ExternalSecretinstance in case ifSecretinstance was removed. It is achieved by tracking names of presentSecretinstances across all namespaces, and making the poll in case if for someExternalSecretthe correspondingSecretinstance is missing.This patch is non-intrusive, and the new behavior is executed only in case if environment variable
POLL_INTERNAL_SECRETSis set.