-
BackgroundI'm implementing an idea which I originally discussed on Slack about generating and managing API keys with ESO, which briefly boils down to this:
The important requirement here is that every API key is generated only once. N.B. My idea discussed on the Slack received the "approved stamp" from the ESO maintainers :-)
ImplementationHere is the implementation of my idea which I tested using ESO 0.8.1 on AKS cluster:
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 8 replies
-
If there's a resource version mismatch, it will do a full reconcile of the ExternalSecret. Because there are new labels and annotations it will do a full refresh. This is a feature to provide a way to re-generate / refresh on demand. I think the root cause should be clear. If you let flux manage the ExternalSecrets from the get-go this won't happen i believe 🤞 . related code / precedence: external-secrets/pkg/controllers/externalsecret/externalsecret_controller.go Lines 506 to 514 in fb944d5 |
Beta Was this translation helpful? Give feedback.
@moolen As I mentioned, I have two AKS clusters, A and B, both GitOps-based using Flux.
I have identified what was the difference between A and B that seems to be causing in cluster B re-generation of
Password
-basedSecret
despite setting its 'manager'ExternalSecret
withrefreshInterval: 0s
.I found that in cluster B I had multiple 2-3 Flux Kustomization-s with overlapping path-s, which effectively boiled down to
path: ./clusters/b
influx-kustomization-main.yaml
path: ./clusters/b/apps
influx-kustomization-apps.yaml
path: ./clusters/b/apps/tests
intest-api-key.yaml
where
test-api-key.yaml
is