This repository has been archived by the owner on Jul 26, 2022. It is now read-only.
feat: refresh secret on delete when polling is disabled #413
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Right now the only way to use
kubernetes-external-secrets
with some providers in certain circumstances, is to set environment variableDISABLE_POLLING: true
, which will lead to no-op on every_poll()
.For example, using AWS SSM Parameter Store backend provider with several hundred of
ExternalSecret
instances provisioned via that provider leads to rate limit errors within AWS API.See #211 and #156 for more background on this scenario.
In the case if
DISABLE_POLLING
set to true, there is no way to refresh internalSecret
instance after it is created byExternalSecret
for the first time, other than completely removing and then re-creatingExternalSecret
.This is not convenient in the case if
ExternalSecret
instance is controlled by Helm/FluxCD, and might lead to deployment inconsistencies.This patch allows for refreshing
ExternalSecret
instance in case ifSecret
instance was removed. It is achieved by tracking names of presentSecret
instances across all namespaces, and making the poll in case if for someExternalSecret
the correspondingSecret
instance is missing.This patch is non-intrusive, and the new behavior is executed only in case if environment variable
POLL_INTERNAL_SECRETS
is set.