This repository has been archived by the owner on Jul 26, 2022. It is now read-only.
feat: refresh secret on delete when polling is disabled #413
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mksh
force-pushed
the
feature/refresh-on-delete
branch
4 times, most recently
from
c833f0f
to
b1190b6
Compare
Flydiverny
reviewed
Jul 30, 2020
| @@ -11,7 +11,7 @@ metadata: | |||
| rules: | |||
| - apiGroups: [""] | |||
| resources: ["secrets"] | |||
| verbs: ["create", "update"] | |||
| verbs: ["create", "update"{{ with (index .Values.env "POLL_INTERNAL_SECRETS") }}, "list"{{ end}}] | |||
There was a problem hiding this comment.
Should this be if instead of with ?
mksh
force-pushed
the
feature/refresh-on-delete
branch
from
b1190b6
to
f56933e
Compare
|
This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
|
This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
|
I had just updated my patch with recent master code, and it seems to be working fine for my use-case, and all auto-tests do pass. If we can get this reviewed and merged into 8x series, it would be very appreciated ! |
|
This pr is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Right now the only way to use
kubernetes-external-secretswith some providers in certain circumstances, is to set environment variableDISABLE_POLLING: true, which will lead to no-op on every_poll().For example, using AWS SSM Parameter Store backend provider with several hundred of
ExternalSecretinstances provisioned via that provider leads to rate limit errors within AWS API.See #211 and #156 for more background on this scenario.
In the case if
DISABLE_POLLINGset to true, there is no way to refresh internalSecretinstance after it is created byExternalSecretfor the first time, other than completely removing and then re-creatingExternalSecret.This is not convenient in the case if
ExternalSecretinstance is controlled by Helm/FluxCD, and might lead to deployment inconsistencies.This patch allows for refreshing
ExternalSecretinstance in case ifSecretinstance was removed. It is achieved by tracking names of presentSecretinstances across all namespaces, and making the poll in case if for someExternalSecretthe correspondingSecretinstance is missing.This patch is non-intrusive, and the new behavior is executed only in case if environment variable
POLL_INTERNAL_SECRETSis set.