Hello everyone, I am trying to get some CRDs from the following controller to work: https://github.com/external-secrets/external-secrets I am facing the following issue where a default namespace is specified when no namespace is provided, the CRD expects no namespace defined. I tried setting it to null, empty string or remove any assignment of the namespace for this CRD object, still the default namespace is always referenced. Any idea how I can remove the namespace from the pulumi output?

apiVersion: "<http://external-secrets.io/v1beta1|external-secrets.io/v1beta1>"
kind      : "SecretStore"
metadata  : {
    labels   : {
        <http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: "pulumi"
    }
    name     : "externalstore"
   namespace: "default"
}

@proud-solstice-16421 SecretStore is a namespaced custom resource: https://github.com/external-secrets/external-secrets/blob/main/deploy/crds/bundle.yaml#L4186 So it does expect a namespace. Why is it the case you want to remove the namespace?

Hi @billowy-army-68599, thx for looking into it. I am getting the following error:

error: resource default/externalstore was not successfully created by the Kubernetes API server : admission webhook "<http://validate.secretstore.external-secrets.io|validate.secretstore.external-secrets.io>" denied the request: invalid AuthSecretRef.ClientID: namespace not allowed with namespaced SecretStore

I found the following error and corresponding checks in the source code: https://github.com/external-secrets/external-secrets/blob/bdf437c2e1a1a441955b1036b84eed5f63bda5d9/pkg/utils/utils.go#L209C18-L209C18

clusterScope := store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind
	if clusterScope && ref.Namespace == nil {
		return errRequireNamespace
	}
	if !clusterScope && ref.Namespace != nil {
		return errNamespaceNotAllowed
	}
	return nil

But, I might be overlooking something...

hrm, even their example has a namespace there? https://external-secrets.io/latest/api/secretstore/ That code you’re referencing is for the

ClusterSecretStore

resource, not the

SecretStore

What code do you have?

Hi! All resources from the External Secrets Provider are namespaced resources, including the cluster-wide ones. The GitHub link you posted is for the External Secret reference, not the store itself. Can you indeed show the entire deployment?

I took some time to think about it (slow thinker), but the namespace which was faulty was not the namespace of the resource but the namespace of the secret this CRD was referring to. So this has nothing to do with Pulumi. Thx very much for looking into it 😅