UNCLASSIFIED - NO CUI

Skip to content

Remove hardcoded suffix in ClusterSecretStore AND Add EXTERNAL_SECRETS_NAMESPACE to wait-job

Issue 1

Issue #55 (closed) removed the hardcoded namespace from the wait.sh script, however it never gets injected to the actual wait job. It is being used by the deployment instead here. Update the wait-job to mount the configmap as an env so it can successfully overwrite the namespace in the wait.sh script.

---
Running wait.sh...
---
+ namespace=external-secrets
+ cat
+ kubectl apply -f clustersecretstore.yaml
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "external-secrets.io/v1beta1, Resource=secretstores", GroupVersionKind: "external-secrets.io/v1beta1, Kind=SecretStore"
Name: "external-secrets-wait-job-store", Namespace: "external-secrets"
from server for: "clustersecretstore.yaml": secretstores.external-secrets.io "external-secrets-wait-job-store" is forbidden: User "system:serviceaccount:tcode:external-secrets-wait-job-sa" cannot get resource "secretstores" in API group "external-secrets.io" in the namespace "external-secrets"
+ [[ 1 -eq 0 ]]
+ exit 1

Issue 2

Can you remove the hardcoded "-clustersecretstore" suffix from the template here. This was previously set to name: {{ $val.name }}-clustersecretstore. We have over 100 external-secrets, so this requires changing the secretStoreRef in all 100 secrets to now reference a clustersecret store called "*-clustersecretstore". If you remove the suffix, then it will mitigate this issue.

Issue 3

Split out the creation of "Clustersecretstores" and "Secrets" into 2 separate sections. We create our clustersecretstores with the values.yaml, and our secrets outside of the helm chart. However, the way the chart is currently configured, if you set secretConfiguration.enabled to true to create your clustersecretstore, but don't pass anything in for the "secrets" section, it will error out. To fix this, create 2 separate sections like below;

## values.yaml
ClusterSecretStoreConfiguration:
  enabled: false
  ClusterSecretStoreList:
    - name: default
      namespace: ""
      labels: ""
      annotations: ""
      source:
        # AWS secrets manager only - request for other services can be added later
        provider: aws
        # Specify type of service, i.e., SecretsManager (default)
        service: "SecretsManager"
        # Specify the name of the service, secretStoreRef.name
        serviceName: ""
        # Specify AWS region, i.e. us-gov-west-1, default is us-gov-west-1
        region: us-gov-west-1
        # Secret pull refresh interval.  Default is 1m.
        refreshInterval: "1m"
        auth:
          # Specify which authentication to use: identity, accesskey, serviceaccount
          authType: ""
          # Optional: Name of role that defines fine-grained access
          role: ""
          # Name of accessKeyID and secretAccessKey pair
          accessKeyName: ""
          # Specify AWS Access Key ID
          accessKeyID: ""
          # Specify AWS Secret Access Key
          secretAccessKey: ""
          # Name of a service account
          serviceAccount: ""

ExternalSecretsConfiguration:
  enabled: false
  secretList:
    - name: secret-1
      secrets:
        targetName: "" # target/destination secret name
          # target.creationPolicy default is Owner
        targetPolicy: ""
        # This name allows reference by other objects.
        secretKeyName:
          # Specify key here
          key: ""
          # Key version
          version: ""
          # Specify the property of the secret, i.e. username, password
          property: ""
          # Optional" metadataPolicy for ExternalSecret, i.e. Fetch
          metadataPolicy: ""

UNCLASSIFIED - NO CUI