Flagger continuously logs errors when a Deployment references an optional Secret

Open uderik opened this issue 2 months ago • 0 comments

Describe the bug

Flagger continuously logs errors when a Deployment references an optional Secret via env.valueFrom.secretKeyRef.optional: true, but the Secret does not exist.

Despite the error spam in logs, the Canary analysis proceeds successfully and completes as expected.

This behavior is misleading and noisy: Kubernetes itself treats optional secrets as valid configuration, but Flagger still attempts to fetch the Secret and logs an error on every reconciliation loop.

{
  "level": "error",
  "ts": "2025-12-10T13:04:11.208Z",
  "caller": "canary/config_tracker.go:228",
  "msg": "secret mixpanel-token.default get query failed: secret mixpanel-token.default get query error: secrets \"mixpanel-token\" not found",
  "stacktrace": "github.com/fluxcd/flagger/pkg/canary.(*ConfigTracker).GetTargetConfigs\n\t/workspace/pkg/canary/config_tracker.go:228\n..."
}

To Reproduce

env:
  - name: VITE_MIX_PANEL_TOKEN
    valueFrom:
      secretKeyRef:
        name: mixpanel-token
        key: MIXPANEL_TOKEN
        optional: true

Expected behavior

Flagger should not log errors for missing Secrets when secretKeyRef.optional: true is set. At most, this condition should be logged at debug or info level, or ignored entirely. Canary reconciliation and advancement should remain unchanged.

Additional context

Flagger version: 1.42
Kubernetes version: 1.34

Dec 10 '25 13:12 uderik