Resolve "ClusterSecretStore Does Not Require A Namespace"
General MR
Summary
Removes the namespace from the ClusterSecretStore, since this Kind is not namespace aware.
Prior to this fix, the secretRef for the ClusterSecretStore and the final secret were required to be in the same namespace in order for ESO to work.
We move the namespace to be applied to the key references, so we can store the keys in a different namespace than the external-secret itself.
Relevant logs/screenshots
Test values:
apiVersion: v1
data:
access-key: <REDACTED>
secret-access-key: <REDACTED>
kind: Secret
metadata:
name: aws-login
namespace: external-secrets values:
clusterSecretStoreConfiguration:
enabled: true
clusterSecretStoreList:
- name: "team-sc-db"
namespace: "external-secrets"
labels: ""
annotations: ""
source:
provider: aws
service: SecretsManager
region: "us-gov-west-1"
refreshInterval: "20s"
auth:
authType: "accesskey"
accessKeyName: "aws-login"
accessKeyID: "access-key"
secretAccessKey: "secret-access-key"
externalSecretsConfiguration:
enabled: true
secretList:
- name: "team-sc-db"
namespace: "jira"
secrets:
secretKeyName:
key: "jira-db-test-cred"
targetName: "jira-db-secret"
targetPolicy: "Owner"If we want to store the aws-login secret in the external-secrets namespace:
Current Behavior:
With these fixes:
Linked Issue
For #100 (closed)
Upgrade Notices
n/a
Edited by Michael Martin