Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Constant rewriting of the CRD #1138

Open
tropnikovvl opened this issue Apr 16, 2024 · 4 comments
Open

Constant rewriting of the CRD #1138

tropnikovvl opened this issue Apr 16, 2024 · 4 comments

Comments

@tropnikovvl
Copy link

tropnikovvl commented Apr 16, 2024
edited

Hello!

Using Flux, I deployed the external-secrets operator and its CRD.

The fact is that the external-secrets operator stores the caBundle directly in the CRD and therefore Flux constantly overwrites it.

Question: is it possible to add some manifest fields to those ignored by Kustomization?

 {"level":"info","ts":"2024-04-16T11:13:17.992Z","msg":"server-side apply for cluster definitions completed","controller":"kustomization","controllerGroup":"kustomize.toolkit.fluxcd.io","controllerKind":"Kustomization","Kustomization":{"name":"crds-stack","namespace":"flux-system"},"namespace":"flux-system","name":"crds-stack","reconcileID":"c2167182-e883-4189-814e-7d895b0da69f","output":{"CustomResourceDefinition/clustersecretstores.external-secrets.io":"configured","CustomResourceDefinition/externalsecrets.external-secrets.io":"configured","CustomResourceDefinition/secretstores.external-secrets.io":"configured"}}

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.14/deploy/crds/bundle.yaml

 apiVersion: apiextensions.k8s.io/v1                                                                                                                                                                                                                                                                                                                                      
 kind: CustomResourceDefinition                                                                                                                                                                                                                                                                                                                                           
 metadata:                                                                                                                                                                                                                                                                                                                                                                
   annotations:                                                                                                                                                                                                                                                                                                                                                           
     controller-gen.kubebuilder.io/version: v0.14.0                                                                                                                                                                                                                                                                                                                       
   creationTimestamp: "2024-04-10T09:58:54Z"                                                                                                                                                                                                                                                                                                                              
   generation: 190                                                                                                                                                                                                                                                                                                                                                        
   labels:                                                                                                                                                                                                                                                                                                                                                                
     kustomize.toolkit.fluxcd.io/name: crds-stack                                                                                                                                                                                                                                                                                                                         
     kustomize.toolkit.fluxcd.io/namespace: flux-system                                                                                                                                                                                                                                                                                                                   
   name: clustersecretstores.external-secrets.io                                                                                                                                                                                                                                                                                                                          
   resourceVersion: "1265682"                                                                                                                                                                                                                                                                                                                                             
   uid: 89ad4f41-1a9c-4bd8-951a-b38ae52dbca5                                                                                                                                                                                                                                                                                                                              
 spec:                                                                                                                                                                                                                                                                                                                                                                    
   conversion:                                                                                                                                                                                                                                                                                                                                                            
     strategy: Webhook                                                                                                                                                                                                                                                                                                                                                    
     webhook:                                                                                                                                                                                                                                                                                                                                                             
       clientConfig:                                                                                                                                                                                                                                                                                                                                                      
         caBundle: long caBundle                                                                                                                                                                          
         service:                                                                                                                                                                                                                                                                                                                                                         
           name: external-secrets-webhook                                                                                                                                                                                                                                                                                                                                 
           namespace: external-secrets                                                                                                                                                                                                                                                                                                                                    
           path: /convert                                                                                                                                                                                                                                                                                                                                                 
           port: 443                                                                                                                                                                                                                                                                                                                                                      
       conversionReviewVersions:                                                                                                                                                                                                                                                                                                                                          
       - v1                                                                                                                                                                                                                                                                                                                                                               
   group: external-secrets.io                                                                                                                                                                                                                                                                                                                                             
   names:                                                                                                                                                                                                                                                                                                                                                                 
     categories:                                                                                                                                                                                                                                                                                                                                                          
     - externalsecrets                                                                                                                                                                                                                                                                                                                                                    
     kind: ClusterSecretStore                                                                                                                                                                                                                                                                                                                                             
     listKind: ClusterSecretStoreList                                                                                                                                                                                                                                                                                                                                     
     plural: clustersecretstores                                                                                                                                                                                                                                                                                                                                          
     shortNames:                                                                                                                                                                                                                                                                                                                                                          
     - css                                                                                                                                                                                                                                                                                                                                                                
     singular: clustersecretstore                                                                                                                                                                                                                                                                                                                                         
   scope: Cluster
@stefanprodan
Copy link
Member

There is no way to ignore fields, you can only tell Flux to apply these objects as one-off:

apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
spec:
  patches:
  - patch: |
      - op: add
        path: /metadata/annotations/kustomize.toolkit.fluxcd.io~1ssa
        value: IfNotPresent
    target:
      kind: CustomResourceDefinition
      name: (clustersecretstores.external-secrets.io|secretstores.external-secrets.io)

@tropnikovvl
Copy link
Author

@stefanprodan
Thanks for the answer!

How then will the update process occur when changing the version? Will it even work?

@stefanprodan
Copy link
Member

There is no update unless you remove the annotation from Git and cluster. I suggest using a HelmRelease for the external-secrets operator, as helm-controller doesn't correct drift by default and bundles will stay put.

@stefanprodan
Copy link
Member

We do haven an issue for implementing fields ignore here fluxcd/pkg#696. It may take months/years before I get to this unless someone steps in to work on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanprodan @tropnikovvl