This message was deleted.

@proud-solstice-16421 SecretStore is a namespaced custom resource: https://github.com/external-secrets/external-secrets/blob/main/deploy/crds/bundle.yaml#L4186 So it does expect a namespace. Why is it the case you want to remove the namespace?

Hi @billowy-army-68599, thx for looking into it. I am getting the following error:

error: resource default/externalstore was not successfully created by the Kubernetes API server : admission webhook "<http://validate.secretstore.external-secrets.io|validate.secretstore.external-secrets.io>" denied the request: invalid AuthSecretRef.ClientID: namespace not allowed with namespaced SecretStore

I found the following error and corresponding checks in the source code: https://github.com/external-secrets/external-secrets/blob/bdf437c2e1a1a441955b1036b84eed5f63bda5d9/pkg/utils/utils.go#L209C18-L209C18

clusterScope := store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind
	if clusterScope && ref.Namespace == nil {
		return errRequireNamespace
	}
	if !clusterScope && ref.Namespace != nil {
		return errNamespaceNotAllowed
	}
	return nil

But, I might be overlooking something...

hrm, even their example has a namespace there? https://external-secrets.io/latest/api/secretstore/ That code you’re referencing is for the

ClusterSecretStore

resource, not the

SecretStore

What code do you have?

Hi! All resources from the External Secrets Provider are namespaced resources, including the cluster-wide ones. The GitHub link you posted is for the External Secret reference, not the store itself. Can you indeed show the entire deployment?

I took some time to think about it (slow thinker), but the namespace which was faulty was not the namespace of the resource but the namespace of the secret this CRD was referring to. So this has nothing to do with Pulumi. Thx very much for looking into it 😅