https://pulumi.com logo
#kubernetes
Title
# kubernetes
p

proud-solstice-16421

07/07/2023, 2:05 PM
Hello everyone, I am trying to get some CRDs from the following controller to work: https://github.com/external-secrets/external-secrets I am facing the following issue where a default namespace is specified when no namespace is provided, the CRD expects no namespace defined. I tried setting it to null, empty string or remove any assignment of the namespace for this CRD object, still the default namespace is always referenced. Any idea how I can remove the namespace from the pulumi output?
Copy code
apiVersion: "<http://external-secrets.io/v1beta1|external-secrets.io/v1beta1>"
kind      : "SecretStore"
metadata  : {
    labels   : {
        <http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: "pulumi"
    }
    name     : "externalstore"
   namespace: "default"
}
b

billowy-army-68599

07/07/2023, 2:30 PM
@proud-solstice-16421 SecretStore is a namespaced custom resource: https://github.com/external-secrets/external-secrets/blob/main/deploy/crds/bundle.yaml#L4186 So it does expect a namespace. Why is it the case you want to remove the namespace?
p

proud-solstice-16421

07/07/2023, 3:02 PM
Hi @billowy-army-68599, thx for looking into it. I am getting the following error:
Copy code
error: resource default/externalstore was not successfully created by the Kubernetes API server : admission webhook "<http://validate.secretstore.external-secrets.io|validate.secretstore.external-secrets.io>" denied the request: invalid AuthSecretRef.ClientID: namespace not allowed with namespaced SecretStore
I found the following error and corresponding checks in the source code: https://github.com/external-secrets/external-secrets/blob/bdf437c2e1a1a441955b1036b84eed5f63bda5d9/pkg/utils/utils.go#L209C18-L209C18
Copy code
clusterScope := store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind
	if clusterScope && ref.Namespace == nil {
		return errRequireNamespace
	}
	if !clusterScope && ref.Namespace != nil {
		return errNamespaceNotAllowed
	}
	return nil
But, I might be overlooking something...
b

billowy-army-68599

07/07/2023, 3:06 PM
hrm, even their example has a namespace there? https://external-secrets.io/latest/api/secretstore/ That code you’re referencing is for the
ClusterSecretStore
resource, not the
SecretStore
What code do you have?
b

billowy-engine-58246

07/09/2023, 1:47 PM
Hi! All resources from the External Secrets Provider are namespaced resources, including the cluster-wide ones. The GitHub link you posted is for the External Secret reference, not the store itself. Can you indeed show the entire deployment?
p

proud-solstice-16421

07/12/2023, 2:33 PM
I took some time to think about it (slow thinker), but the namespace which was faulty was not the namespace of the resource but the namespace of the secret this CRD was referring to. So this has nothing to do with Pulumi. Thx very much for looking into it 😅
199 Views