ClusterExternalSecret Ready Condition Should Only be Set to False if There is an Error #3029
Labels
good first issue
Good for newcomers
kind/feature
Categorizes issue or PR as related to a new feature.
Is your feature request related to a problem? Please describe.
Currently, since #2582 has been merged.
ClusterExternalSecret
s never report ready until the controller has created anExternalSecret
in a targeted namespace. I get the rationale behind wanting to make it easier to indicate that theClusterExternalSecret
is not managing anyExternalSecret
s since this could be an indication of a misconfiguration of some kind but the implementation of not setting theReady
condition toTrue
until a namespace matches properly fails to recognize there are valid usecases for theClusterExternalSecret
to be sitting idle and waiting for a namespace to request anExternalSecret
be created.An example of such use case is to have a cluster operator provision a
ClusterExternalSecret
that can then be used by developer teams to createExternalSecret
s in namespaces that they need access to the secret data. Until a developer provisions a namespace that has this requirement, thisClusterExternalSecret
Ready
condition should beTrue
and waiting for a namespace to request anExternalSecret
be provisioned. This causes issues with Argo CD Since theClusterExternalSecret
is stuck withReady = False
, Argo never progresses the application to be ready and it is stuck perpetually pending until a namespace is created that matches the selector. This can have large downstream effects if you have automation in place that checks the status of argo applications to take some action.Describe the solution you'd like
The status should report that the
ClusterExternalSecret
Ready
condition isTrue
even if there are no namespaces that match the selector. This is in line with what a controller would indicateReady
to mean which is "This resource is ready to be used". TheProvisioned Namespaces
element of the status seems to be a more appropriate place to indicate that no namespaces have provisioned the external secret and another condition should be added if theClusterExternalSecret
controller tried to create anExternalSecret
in the namespace but was unable to. Using theReady
condition for this is causes issues when there are none present.Describe alternatives you've considered
The best workaround right now is the label the namespace that ESO is deployed in so that it matches the
ClusterExternalSecret
condition. This is fine but isn't really how this controller should be used as this namespace has no need for the data being grabbed by theExternalSecret
that get provisioned.The text was updated successfully, but these errors were encountered: