fluxcd
Constant rewriting of the CRD
Hello!
Using Flux, I deployed the external-secrets operator and its CRD.
The fact is that the external-secrets operator stores the caBundle directly in the CRD and therefore Flux constantly overwrites it.
Question: is it possible to add some manifest fields to those ignored by Kustomization?
{"level":"info","ts":"2024-04-16T11:13:17.992Z","msg":"server-side apply for cluster definitions completed","controller":"kustomization","controllerGroup":"kustomize.toolkit.fluxcd.io","controllerKind":"Kustomization","Kustomization":{"name":"crds-stack","namespace":"flux-system"},"namespace":"flux-system","name":"crds-stack","reconcileID":"c2167182-e883-4189-814e-7d895b0da69f","output":{"CustomResourceDefinition/clustersecretstores.external-secrets.io":"configured","CustomResourceDefinition/externalsecrets.external-secrets.io":"configured","CustomResourceDefinition/secretstores.external-secrets.io":"configured"}}
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://raw.githubusercontent.com/external-secrets/external-secrets/v0.9.14/deploy/crds/bundle.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
creationTimestamp: "2024-04-10T09:58:54Z"
generation: 190
labels:
kustomize.toolkit.fluxcd.io/name: crds-stack
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: clustersecretstores.external-secrets.io
resourceVersion: "1265682"
uid: 89ad4f41-1a9c-4bd8-951a-b38ae52dbca5
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
caBundle: long caBundle
service:
name: external-secrets-webhook
namespace: external-secrets
path: /convert
port: 443
conversionReviewVersions:
- v1
group: external-secrets.io
names:
categories:
- externalsecrets
kind: ClusterSecretStore
listKind: ClusterSecretStoreList
plural: clustersecretstores
shortNames:
- css
singular: clustersecretstore
scope: Cluster
There is no way to ignore fields, you can only tell Flux to apply these objects as one-off:
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
spec:
patches:
- patch: |
- op: add
path: /metadata/annotations/kustomize.toolkit.fluxcd.io~1ssa
value: IfNotPresent
target:
kind: CustomResourceDefinition
name: (clustersecretstores.external-secrets.io|secretstores.external-secrets.io)
@stefanprodan Thanks for the answer!
How then will the update process occur when changing the version? Will it even work?
There is no update unless you remove the annotation from Git and cluster. I suggest using a HelmRelease for the external-secrets operator, as helm-controller doesn't correct drift by default and bundles will stay put.
We do haven an issue for implementing fields ignore here https://github.com/fluxcd/pkg/issues/696. It may take months/years before I get to this unless someone steps in to work on it.